[OpenID] Using HTTPS Openid Providers

[Chris Drake]

Hi Pat,

Since the subject's in the open, and I'm busy enjoying the scrutiny of
verification for my EV SSL Cert - it's worth mentioning that the
rigorness of the "Extended Verification" together with the IE7 native
support for EV extensions puts a serious dent into MitM problems.

If someone can pervert DNS, they can go get a free 3-month IPSCA (or
paid geotrust) SSL cert, and silently impersonate the victim web site,
including the SSL chain.

While they might be able to buy a $1600 EV SSL Cert, they'd have to
pervert DNS, somehow get authority over domain ownership, and accept a
visit from a registered lawyer at their street address (and convince
him they're whatever company they're trying to pervert), have a year
of more of trading history, a working landline, verifiable evidence of
company registration (to their street address, using their landline),
and convince the EV examiner that they're 100% legitimate before
they'd *get* their signed $1600 cert.  Quite a huge difference...

Kind Regards,
Chris Drake

Friday, June 15, 2007, 3:39:53 AM, you wrote:

PP> Hi Immad,

PP> I would say yes, https does make it significantly harder to
PP> do man inthe middle. In the absence of SSL, OpenID with DH is
PP> vulnerable to DNSattacks. HTTPS assuming, as Peter mentioned,
PP> decent ciphersuites andcareful cert management, and full https
PP> compliance, makes itsignificantly more difficult for an attacker
PP> to impersonate an OP.

PP> Cheers,

PP> Pat

PP> Immad Akhund wrote:
PP> thanks for the quick advice.
  
PP> Given that diffie hellman isconducted with the openid
PP> provider is there actually any additionalsecurity benefit with
PP> using https to communicate with the openidprovider? Does it make
PP> it significantly harder to do man in the middleattacks (if thats
PP> its purpose)? 
  
PP> I hadn't considered that the identity could be under https
PP> butthe server not and vice-versa. Where would you see as the
PP> biggestsecurity benefit to use https?
  
  
PP> Sxipper also uses SSL, both for the OP-endpointand for identifiers.
PP> For the OP-endpoint we've also defined a lower priority HTTP service
PP> endpoint.

    

PP> Doconsumers actually go to the lower priority http service
PP> endpointautomatically if they fail in using the https service? Is
PP> thisspecified in the protocol? 
  
  
PP> Thanks again,
PP>   Immad
  
  
PP> On 13/06/07, Johnny Bufu <johnny at sxip.com> wrote:   

PP> On 13-Jun-07, at 2:03 PM, Josh Hoyt wrote:
  
>>> Are there examples of https openid provider out their? (thismight 
>>> be a
>>> silly question)
>>
>> MyOpenID.com supports SSL, but works both ways. For example, both
>> https://josh.myopenid.com/and http://josh.myopenid.com/ work.
  
PP> Sxipper also uses SSL, both for the OP-endpoint and for identifiers.
PP> For the OP-endpoint we've also defined a lower priority HTTP service
PP> endpoint.
  
PP> Identifiers are HTTPS-only though; providing both HTTP and HTTPS 
PP> identifiers to a user may confuse them, because they will end up
PP> using different identities if they log into an RP by presenting
PP> "user.op.com" vs "https://user.op.com".
  
  
PP> Johnny
  
PP> _______________________________________________
PP> general mailing list
PP>   general at openid.net
PP>   http://openid.net/mailman/listinfo/general
  

  
  
  
  
PP> -- 
PP> Cell: +1 617 449 8654
PP> Skype: i.akhund
PP> Blog: http://immadsnewworld.blogspot.com   




PP> _______________________________________________general
PP> mailing
PP> listgeneral at openid.nethttp://openid.net/mailman/listinfo/general