[OpenID] Using HTTPS Openid Providers

Peter Williams pwilliams at rapattoni.com
Thu Jun 14 19:59:04 UTC 2007 

"Fraud monitoring is on

  

Phishing Protection has scanned this Web page and determined that it
does not use an encrypted transmission protocol, does not contain a
password form field, and there is no indication of fraud."

 

 

 

This comes from my Symantec ToolBar, and it is even visualized as a
giant green bar, just under the (https) Address field

 

Is it valid? I've no idea what techniques they use, to justify the
representation that "there is no indication of fraud." This may involve
cert management (key distribution) technique and DNS authority spoofing
countermeasures, for all I know.

 

 

 

 

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Chris Drake
Sent: Thursday, June 14, 2007 10:52 AM
To: Pat Patterson
Cc: openid-general
Subject: Re: [OpenID] Using HTTPS Openid Providers

 

Hi Pat,

 

Since the subject's in the open, and I'm busy enjoying the scrutiny of

verification for my EV SSL Cert - it's worth mentioning that the

rigorness of the "Extended Verification" together with the IE7 native

support for EV extensions puts a serious dent into MitM problems.

 

If someone can pervert DNS, they can go get a free 3-month IPSCA (or

paid geotrust) SSL cert, and silently impersonate the victim web site,

including the SSL chain.

 

While they might be able to buy a $1600 EV SSL Cert, they'd have to

pervert DNS, somehow get authority over domain ownership, and accept a

visit from a registered lawyer at their street address (and convince

him they're whatever company they're trying to pervert), have a year

of more of trading history, a working landline, verifiable evidence of

company registration (to their street address, using their landline),

and convince the EV examiner that they're 100% legitimate before

they'd *get* their signed $1600 cert.  Quite a huge difference...

 

Kind Regards,

Chris Drake

 

Friday, June 15, 2007, 3:39:53 AM, you wrote:

 

PP> Hi Immad,

 

PP> I would say yes, https does make it significantly harder to

PP> do man inthe middle. In the absence of SSL, OpenID with DH is

PP> vulnerable to DNSattacks. HTTPS assuming, as Peter mentioned,

PP> decent ciphersuites andcareful cert management, and full https

PP> compliance, makes itsignificantly more difficult for an attacker

PP> to impersonate an OP.

 

PP> Cheers,

 

PP> Pat

 

PP> Immad Akhund wrote:

PP> thanks for the quick advice.

  

PP> Given that diffie hellman isconducted with the openid

PP> provider is there actually any additionalsecurity benefit with

PP> using https to communicate with the openidprovider? Does it make

PP> it significantly harder to do man in the middleattacks (if thats

PP> its purpose)? 

  

PP> I hadn't considered that the identity could be under https

PP> butthe server not and vice-versa. Where would you see as the

PP> biggestsecurity benefit to use https?

  

  

PP> Sxipper also uses SSL, both for the OP-endpointand for identifiers.

PP> For the OP-endpoint we've also defined a lower priority HTTP service

PP> endpoint.

 

    

 

PP> Doconsumers actually go to the lower priority http service

PP> endpointautomatically if they fail in using the https service? Is

PP> thisspecified in the protocol? 

  

  

PP> Thanks again,

PP>   Immad

  

  

PP> On 13/06/07, Johnny Bufu <johnny at sxip.com> wrote:   

 

PP> On 13-Jun-07, at 2:03 PM, Josh Hoyt wrote:

  

>>> Are there examples of https openid provider out their? (thismight 

>>> be a

>>> silly question)

>> 

>> MyOpenID.com supports SSL, but works both ways. For example, both

>> https://josh.myopenid.com/and http://josh.myopenid.com/ work.

  

PP> Sxipper also uses SSL, both for the OP-endpoint and for identifiers.

PP> For the OP-endpoint we've also defined a lower priority HTTP service

PP> endpoint.

  

PP> Identifiers are HTTPS-only though; providing both HTTP and HTTPS 

PP> identifiers to a user may confuse them, because they will end up

PP> using different identities if they log into an RP by presenting

PP> "user.op.com" vs "https://user.op.com".

  

  

PP> Johnny

  

PP> _______________________________________________

PP> general mailing list

PP>   general at openid.net

PP>   http://openid.net/mailman/listinfo/general

  

 

  

  

  

  

PP> -- 

PP> Cell: +1 617 449 8654

PP> Skype: i.akhund

PP> Blog: http://immadsnewworld.blogspot.com   

 

 

 

 

PP> _______________________________________________general

PP> mailing

PP> listgeneral at openid.nethttp://openid.net/mailman/listinfo/general  

 

 

 

 

 

_______________________________________________

general mailing list

general at openid.net

http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070614/cf956e55/attachment-0002.htm>

More information about the general mailing list