HTTP and HTTPS URL issue (was RE: security)

Drummond Reed drummond.reed at cordance.net
Fri Oct 27 17:16:36 UTC 2006 

[Note: This thread is being moved to the security@ list. The general@ list,
where it originated, is being cc'd to notify everyone that discussion will
proceed there. Please do not reply on the general list.]

>> On 10/26/06, Martin Atkins <mart at degeneration.co.uk> wrote:
>>   
>>> Indeed, not long after I posted this I was reviewing the spec for other
>>> reasons and found this:
>>>
>>>     
>> [spec quote about normalization snipped]
>>   
>>> Note in particular the end of the first paragraph, which states simply
>>> that one should prefix http://. HTTPS URLs must be spelled out as
>>> https://, which is a bit of a shame (we're optimising for the insecure
>>> case as far as users are concerned) but I can't think of any way to
>>> securely support the short form of both http: and https: URLs.
>>>     
>>Josh Hoyt wrote:
>>
>> Does this help?
>>
>> 12.4.1.  HTTP and HTTPS URL Identifiers
>>
>> Relying Parties MUST differentiate between URL Identifiers that have
>> different schemes. When user input is processed into a URL, it is 
>> processed into a HTTP URL. If the same End User controls the same URL,
>> differing only by scheme, and it is desired that the Identifier be the 
>> HTTPS URL, it is RECOMMENDED that a redirect be issued from the HTTP URL 
>> to the HTTPS URL. Because the HTTP and HTTPS URLs are not equivalent and 
>> the Identifier that is used is the URL after following redirects, there 
>> is no reduction in security when using this scheme.
>> If an attacker could gain control of the HTTP URL, it would have no 
>> effect on the HTTPS URL, since the HTTP URL is not ever used as an 
>> Identifier.
>> 
>> (http://openid.net/specs/openid-authentication-2_0-10.html#anchor39)
>>
>> Relying Parties MUST differentiate between URL Identifiers that have
>> different schemes.
>
> Pete Rowley wrote:
>
>This is what allows the attack to be viable. This should be MUST NOT for 
>all parties, or in other words "URL identifiers differing in scheme MUST 
>be treated as equivalent for the purposes of identification."
>
>What were the reasons behind treating http and https identifiers as 
>unique from each other?

I agree with Pete. As elegant as it appears, there's a fatal flaw in this
approach. If an attacker can gain control of an HTTP URL, they can CHANGE
the HTTPS URL to which it points...

...thereby completely stealing the identity.

The security implications of this are so important that I'm moving this
thread over the security@ list. I propose we discuss it there until we come
to a conclusion, then make sure that's reflected back to the general@ list.

=Drummond

More information about the general mailing list