[OpenID] Using HTTPS Openid Providers

Chris Drake christopher at pobox.com
Thu Jun 14 20:22:45 UTC 2007 

Hi Peter,

PW> Is it valid? I've no idea what techniques they use, tojustify

Sounds to me like it involves checking if the page is HTTPS, and
looking for an "input type=password" box - pretty much like it
actually says.  Since they've been so anal in saying all that, it's
pretty much a certainty they don't do anything else - otherwise it
*would* have said "yada yada, checked the DNS, yada yada, checked the
certificate, yada yada, checked phishing-site blacklists, yada
yada ..."

Kind Regards,
Chris Drake


Friday, June 15, 2007, 5:59:04 AM, you wrote:

PW> "Fraud monitoring is on

PW>   

PW> Phishing Protection has scannedthis Web page and determined
PW> that it does not use an encrypted transmission protocol,does not
PW> contain a password form field, and there is no indication of
PW> fraud."

PW>  

PW>  

PW>  

PW> This comes from my Symantec ToolBar, and it is evenvisualized
PW> as a giant green bar, just under the (https) Address field

PW>  

PW> Is it valid? I've no idea what techniques they use, tojustify
PW> the representation that “there is no indication of fraud."This may
PW> involve cert management (key distribution) technique and DNS
PW> authorityspoofing countermeasures, for all I know.

PW>  

PW>  

PW>  

PW>  

PW> -----Original Message-----
PW> From: general-bounces at openid.net
PW> [mailto:general-bounces at openid.net] On BehalfOf Chris Drake
PW> Sent: Thursday, June 14, 2007 10:52 AM
PW> To: Pat Patterson
PW> Cc: openid-general
PW> Subject: Re: [OpenID] Using HTTPS Openid Providers

PW>  

PW> Hi Pat,

PW>  

PW> Since the subject's in the open, and I'm busy enjoyingthe scrutiny of

PW> verification for my EV SSL Cert - it's worth mentioningthat the

PW> rigorness of the "Extended Verification" togetherwith the IE7 native

PW> support for EV extensions puts a serious dent into MitMproblems.

PW>  

PW> If someone can pervert DNS, they can go get a free3-month IPSCA (or

PW> paid geotrust) SSL cert, and silently impersonate thevictim web site,

PW> including the SSL chain.

PW>  

PW> While they might be able to buy a $1600 EV SSL Cert,they'd have to

PW> pervert DNS, somehow get authority over domain ownership,and accept a

PW> visit from a registered lawyer at their street address(and convince

PW> him they're whatever company they're trying to pervert),have a year

PW> of more of trading history, a working landline,verifiable evidence of

PW> company registration (to their street address, usingtheir landline),

PW> and convince the EV examiner that they're 100% legitimatebefore

PW> they'd *get* their signed $1600 cert.  Quite a hugedifference...

PW>  

PW> Kind Regards,

PW> Chris Drake

PW>  

PW> Friday, June 15, 2007, 3:39:53 AM, you wrote:

PW>  

PP>> Hi Immad,

PW>  

PP>> I would say yes, https does make it significantlyharder to

PP>> do man inthe middle. In the absence of SSL, OpenIDwith DH is

PP>> vulnerable to DNSattacks. HTTPS assuming, as Petermentioned,

PP>> decent ciphersuites andcareful cert management,and full https

PP>> compliance, makes itsignificantly more difficultfor an attacker

PP>> to impersonate an OP.

PW>  

PP>> Cheers,

PW>  

PP>> Pat

PW>  

PP>> Immad Akhund wrote:

PP>> thanks for the quick advice.

PW>   

PP>> Given that diffie hellman isconducted with theopenid

PP>> provider is there actually any additionalsecuritybenefit with

PP>> using https to communicate with theopenidprovider? Does it make

PP>> it significantly harder to do man in themiddleattacks (if thats

PP>> its purpose)? 

PW>   

PP>> I hadn't considered that the identity could beunder https

PP>> butthe server not and vice-versa. Where would yousee as the

PP>> biggestsecurity benefit to use https?

PW>   

PW>   

PP>> Sxipper also uses SSL, both for the OP-endpointandfor identifiers.

PP>> For the OP-endpoint we've also defined a lowerpriority HTTP service

PP>> endpoint.

PW>  

PW>     

PW>  

PP>> Doconsumers actually go to the lower priority httpservice

PP>> endpointautomatically if they fail in using thehttps service? Is

PP>> thisspecified in the protocol? 

PW>   

PW>   

PP>> Thanks again,

PP>>   Immad

PW>   

PW>   

PP>> On 13/06/07, Johnny Bufu <johnny at sxip.com>wrote:   

PW>  

PP>> On 13-Jun-07, at 2:03 PM, Josh Hoyt wrote:

PW>   

>>>> Are there examples of https openid providerout their? (thismight 

>>>> be a

>>>> silly question)

>>> 

>>> MyOpenID.com supports SSL, but works both ways.For example, both

>>> https://josh.myopenid.com/andhttp://josh.myopenid.com/ work.

PW>   

PP>> Sxipper also uses SSL, both for the OP-endpointand for identifiers.

PP>> For the OP-endpoint we've also defined a lowerpriority HTTP service

PP>> endpoint.

PW>   

PP>> Identifiers are HTTPS-only though; providing bothHTTP and HTTPS 

PP>> identifiers to a user may confuse them, becausethey will end up

PP>> using different identities if they log into an RPby presenting

PP>> "user.op.com" vs"https://user.op.com".

PW>   

PW>   

PP>> Johnny

PW>   

PP>> _______________________________________________

PP>> general mailing list

PP>>   general at openid.net

PP>>  http://openid.net/mailman/listinfo/general

PW>   

PW>  

PW>   

PW>   

PW>   

PW>   

PP>> -- 

PP>> Cell: +1 617 449 8654

PP>> Skype: i.akhund

PP>> Blog:http://immadsnewworld.blogspot.com   

PW>  

PW>  

PW>  

PW>  

PP>>_______________________________________________general

PP>> mailing

PP>>listgeneral at openid.nethttp://openid.net/mailman/listinfo/general  

PW>  

PW>  

PW>  

PW>  

PW>  

PW> _______________________________________________

PW> general mailing list

PW> general at openid.net

PW> http://openid.net/mailman/listinfo/general

More information about the general mailing list