[OpenID] Reconsidering http://openid different from https://openid

Mon Sep 24 22:06:18 UTC 2007

Hi Eddy,

On Sep 24, 2007, at 10:45 AM, Eddy Nigg (StartCom Ltd.) wrote:

> Pat Patterson wrote:
>> I don't understand this from section 11.5.2:
>> Surely, if an attacker gained control of the HTTP URL, he would be  
>> free to redirect to an endpoint of his choosing, a clear reduction  
>> in security. Am I missing something?
> HTTP URL = Web site?
> HTTP = DNS?

I don't know - I was quoting the section of spec you included in a  
previous message.

> Surely, if an attacker gained control of the HTTPS URL this would  
> be a clear reduction in security.

Clearly :-)

> Guess you don't miss anything.

I try not to, but... I'm still don't get it.

Let's say I compromise DNS, sending traffic for eddy.someidp.com to  
www.myevilidp.com. To initiate the discovery process, you type in  
http://eddy.someidp.com at an RP. The RP goes to www.myevilidp.com  
and he is in my clutches. I can send the RP to an http or https  
endpoint of my choosing.

On the other hand, let's say I compromise the someidp.com web site.  
Again, if an RP does discovery on http://eddy.someidp.com, I am free  
to send the RP anywhere I like, http or https.

As far as I can see, it's only by the RP doing discovery on https:// 
eddy.someidp.com that he gains any benefit from HTTPS.

Cheers,

Pat

> -- 
> Regards
>
> Signer: 	Eddy Nigg, StartCom Ltd.
> Jabber: 	startcom at startcom.org
> Blog: 	Join the Revolution!
> Phone: 	+1.213.341.0390
>

- - - - -
Pat Patterson
Federation Architect, Sun Microsystems, Inc.
pat.patterson at sun.com - http://blogs.sun.com/superpat
- - - - -
Join OpenSSO today! http://opensso.dev.java.net/
- - - - -

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070924/24383d02/attachment-0002.htm>