[OpenID] Reconsidering http://openid different from https://openid
Josh Hoyt
josh at janrain.com
Mon Sep 24 22:41:01 UTC 2007
On 9/24/07, Pat Patterson <Andrew.Patterson at sun.com> wrote:
> Let's say I compromise DNS, sending traffic for eddy.someidp.com to www.myevilidp.com.
> To initiate the discovery process, you type in http://eddy.someidp.com at an RP. The RP
> goes to www.myevilidp.com and he is in my clutches. I can send the RP to an http or
> https endpoint of my choosing.
The suggestion in the specification is valid *because* the HTTP and
HTTPS identifiers are different from each other. If you compromise
http://myid.invalid/ when all it was doing was redirecting to
https://myid.invalid/, you can sign in as http://myid.invalid/, but
that won't get you any closer to gaining access to resources that are
tied to the identifier. All you can do is remove the convenient
redirect that saves me typing and lets people automatically discover
that the HTTPS identifier is me.
The redirect is part of the URL normalization process for OpenID.
Redirects tell the relying party to use a different identifier instead
of the identifier that was entered.
Hope that helps,
Josh
More information about the general
mailing list