[OpenID] Reconsidering http://openid different from https://openid
Dick Hardt
dick at sxip.com
Wed Sep 19 22:34:46 UTC 2007
On 19-Sep-07, at 2:49 PM, Johannes Ernst wrote:
> On Sep 19, 2007, at 12:42, Josh Hoyt wrote:
>> On 9/19/07, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
>>> I would also guess that a (human-level) impersonation attack by
>>> http://foo against https://foo will almost always been successful -
>>> e.g. because so many RPs don't print the protocol prefix.
>>
>> How would such an impersonation attack take place? Wouldn't it
>> involve
>> the attacker controlling one or the other of the identifiers?
>
> Yes. Let's say I'm your new specialist, and you are trying to give
> me access to your on-line medical records (i.e. you edit the ACL),
> but instead you are giving access to somebody else whose OpenID was
> just the same minus the 's'.
That seems pretty unlikely. I would hope my identity provider would
reserve both for me, or better yet redirect HTTP to HTTPS
>
> It appears to me that any solution to this must effectively
> guarantee that http://foo can never refer to somebody else than
> https://foo does, which is another way of phrasing the (almost
> same) requirement.
I think the best approach so far is to recommend a best practice of
the two identifiers not being controlled by different people.
-- Dick
More information about the general
mailing list