security
Josh Hoyt
josh at janrain.com
Fri Oct 27 06:45:10 UTC 2006
On 10/26/06, Martin Atkins <mart at degeneration.co.uk> wrote:
> Indeed, not long after I posted this I was reviewing the spec for other
> reasons and found this:
>
[spec quote about normalization snipped]
>
> Note in particular the end of the first paragraph, which states simply
> that one should prefix http://. HTTPS URLs must be spelled out as
> https://, which is a bit of a shame (we're optimising for the insecure
> case as far as users are concerned) but I can't think of any way to
> securely support the short form of both http: and https: URLs.
Does this help?
12.4.1. HTTP and HTTPS URL Identifiers
Relying Parties MUST differentiate between URL Identifiers that have
different schemes. When user input is processed into a URL, it is
processed into a HTTP URL. If the same End User controls the same URL,
differing only by scheme, and it is desired that the Identifier be the
HTTPS URL, it is RECOMMENDED that a redirect be issued from the HTTP
URL to the HTTPS URL. Because the HTTP and HTTPS URLs are not
equivalent and the Identifier that is used is the URL after following
redirects, there is no reduction in security when using this scheme.
If an attacker could gain control of the HTTP URL, it would have no
effect on the HTTPS URL, since the HTTP URL is not ever used as an
Identifier.
(http://openid.net/specs/openid-authentication-2_0-10.html#anchor39)
Josh
More information about the general
mailing list