[OpenID] Reconsidering http://openid different from https://openid

[Jack]

Johannes Ernst wrote:
> I postulate that:
> 
> - 99% of internet users have only a very vague idea about the 
> difference between http and https,

That is optimistic. Most (more than 50%) haven't the faintest idea what
"https" signifies. They don't even know that it has connotations of
"security".

> in particular as it relates to OpenID.

Even well-informed internet users haven't heard of OpenID, unless they
read or write blogs for interest (rather than reading them because they
came up in the search).

> And in particular as so many RP's don't print the "http[s]" prefix
> when they print a user name!

This is way down the list. Unfortunately it is not user-friendly to
distinguish between http and https, especially if you are advertising a
class of identities that resemble "userid.hostname.tld" or
"hostname.tld/userid". Are the users expected to type fully-qualified
URLs to obtain the benefits of this scheme, or are they not required to
know how to do that? A lack of clarity about that rather critical issue
is unlikely to be helpful.
> 
> - almost 100% of internet users won't understand that an RP might 
> choose to make http://foo and https://foo a different account. (I
> have some evidence that at least 90% of a representative sample of
> leading identity technologists don't understand it)
> 
> I would also guess that a (human-level) impersonation attack by 
> http://foo against https://foo will almost always been successful -
> e.g. because so many RPs don't print the protocol prefix.
> 
> Would anybody on this thread disagree with these assumptions?

Not in any way that matters. My remarks are intended to be supportive,
if that's not clear.


-- 
Jack Cleaver.