[OpenID] Reconsidering http://openid different from https://openid
Joseph Holsten
joseph at josephholsten.com
Wed Sep 19 20:10:53 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 19, 2007, at 2:40 PM, Johannes Ernst wrote:
> I postulate that:
>
> - 99% of internet users have only a very vague idea about the
> difference between http and https, in particular as it relates to
> OpenID. And in particular as so many RP's don't print the "http[s]"
> prefix when they print a user name!
>
> - almost 100% of internet users won't understand that an RP might
> choose to make http://foo and https://foo a different account. (I
> have some evidence that at least 90% of a representative sample of
> leading identity technologists don't understand it)
>
> I would also guess that a (human-level) impersonation attack by
> http://foo against https://foo will almost always been successful -
> e.g. because so many RPs don't print the protocol prefix.
>
> Would anybody on this thread disagree with these assumptions?
Yes. I know people who are convinced that <http://openid.example> and
<http://openid.example/> are different. True, they don't understand
why, but that's not the point.
Tell them what their identifier is and use it.
Or stop calling it http and https and just say <openid://me.example>
http:// Joseph Holsten.com
master of hyperbole, for the sanctity of everything important,
everywhere
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFG8YJNxYqeHL30HVYRAlmOAKCAJJTWTSK41VJD+fKb1hekXm7FBACfdUeX
FAqHLIKvG8eE7uUhuO2a0y4=
=kZYo
-----END PGP SIGNATURE-----
More information about the general
mailing list