[OpenID] Using HTTPS Openid Providers
Stuart Bishop
stuart at stuartbishop.net
Fri Jun 15 05:36:11 UTC 2007
Chris Drake wrote:
> If someone can pervert DNS, they can go get a free 3-month IPSCA (or
> paid geotrust) SSL cert, and silently impersonate the victim web site,
> including the SSL chain.
This would involve perverting both the SSL certificate providers DNS as well
as the victims though, or taking over the domain hosting the identity URL.
This is still quite a bit harder than just poisoning the victims local DNS
server which I think is all that is required to MiM a victim using a non-SSL
identity URL.
I know we will be explicitly rejecting non-SSL identity URLs on our OP. I
think you have to try hard to get a HTTP library that *doesn't* support SSL
out of the box now, and if it doesn't it is likely just because the local
admin forgot to install the 'foo-ssl' module or similar.
Given we want only a single identity URL for users to enter to avoid
confusion, and that identity URL will be SSL, it would be an extremly broken
client that attempted to retrieve an https: URL via plain HTTP, wouldn't it?
--
Stuart Bishop <stuart at stuartbishop.net>
http://www.stuartbishop.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070615/8aa2d0e7/attachment-0002.pgp>
More information about the general
mailing list