[OpenID] Reconsidering http://openid different from https://openid
Johannes Ernst
jernst+openid.net at netmesh.us
Wed Sep 19 19:40:25 UTC 2007
I postulate that:
- 99% of internet users have only a very vague idea about the
difference between http and https, in particular as it relates to
OpenID. And in particular as so many RP's don't print the "http[s]"
prefix when they print a user name!
- almost 100% of internet users won't understand that an RP might
choose to make http://foo and https://foo a different account. (I
have some evidence that at least 90% of a representative sample of
leading identity technologists don't understand it)
I would also guess that a (human-level) impersonation attack by
http://foo against https://foo will almost always been successful -
e.g. because so many RPs don't print the protocol prefix.
Would anybody on this thread disagree with these assumptions?
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070919/32415e7e/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070919/32415e7e/attachment-0005.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the general
mailing list