[OpenID] Using HTTPS Openid Providers
Martin Atkins
mart at degeneration.co.uk
Fri Jun 15 17:34:49 UTC 2007
Immad Akhund wrote:
>
> Do consumers actually go to the lower priority http service endpoint
> automatically if they fail in using the https service? Is this specified
> in the protocol?
>
I think the current "best practice" for deploying HTTPS identifiers is
to deploy in parallel HTTP-based URLs which redirect to the HTTPS
identifiers. Users can then enter their identifier without the scheme
and it'll "just work".
Due to the way the OpenID protocol is specified, this does not open a
security hole because:
* http://example.com/ and https://example.com/ are considered to be two
distinct URLs by the protocol
* In the uncompromised case, the user ultimately ends up authenticating
as https://example.com/.
* All an attacker can do by compromising http://example.com/ is
authenticate as http://example.com/. Our legitimate user has never
logged in as http://example.com/ anywhere, so the attacker does not get
access to the user's accounts. https://example.com/ is still secure.
The Authentication 2.0 specification currently makes no comment at all
on whether SSL should/must/can be supported by any party, because it is
as far as possible trying to remain scheme- and transport-neutral.
However, for interoperability we can assume that basically RPs MUST
support SSL in their HTTP clients. They might not actually verify certs
and so forth, but they MUST at minimum be able to establish an SSL
connection and send data across it.
More information about the general
mailing list