[OpenID] Using HTTPS Openid Providers
Terry Hayes
Terry.Hayes at corp.aol.com
Thu Jun 14 17:38:37 UTC 2007
On Jun 14, 2007, at 09:24 , Immad Akhund wrote:
> thanks for the quick advice.
>
> Given that diffie hellman is conducted with the openid provider is
> there actually any additional security benefit with using https to
> communicate with the openid provider? Does it make it significantly
> harder to do man in the middle attacks (if thats its purpose)?
Yes, it makes it harder. One major benefit of SSL is to prevent man
in the middle due to modification of the data, or incorrect
identification (through DNS in this case) of the endpoints. The
Diffie-Hellman mechanism does not prevent either. It does limit the
points in the transaction where MITM attacks can be applied. SSL
also provides confidentiality, which isn't provided in the HTTP
implementation.
>
> I hadn't considered that the identity could be under https but the
> server not and vice-versa. Where would you see as the biggest
> security benefit to use https?
>
Both have benefits. Protecting the discovery phase prevents
impersonating an OpenID by pointing to an alternate provider.
Protecting the transaction itself has obvious benefits.
Terry
More information about the general
mailing list