[OpenID] Reconsidering http://openid different from https://openid
Martin Atkins
mart at degeneration.co.uk
Fri Sep 28 07:50:04 UTC 2007
Johannes Ernst wrote:
> I'm one of the guys who actually maintains an ACL (Access Control List)
> based on OpenID identities. The process works like this:
> - Customer: hey, I'd like access to your website
> - Me: sure, send me your OpenID
> - Customer: foo.bar.com
> - Me: adding http://foo.bar.com/ to the ACL
> - Customer: hey, I tried but it doesn't work
> - Me (diagnosing): that's because you entered 'https://foo.bar.com/'
> and not 'http://foo.bar.com/".
>
> This happens in a surprisingly large number of cases.
>
I believe the recommended pattern is to have the http: form redirect to
the https: form, thus allowing foo.bar.com to be entered:
* Consumer normalizes to http://foo.bar.com/
* Consumer gets redirected to https://foo.bar.com/
* Consumer uses https://foo.bar.com/ as claimed_identifier.
If the non-SSL URL is later compromised in some way (it doesn't use SSL,
after all!), this doesn't provide the attacker access to the https:
version since they are distinct.
Considering the two to be equivilent is a security flaw, since it means
that an attacker can compromise the http: version and gain access to
accounts that are using the https: version.
The change required in your case is that your app (which is managing the
ACL) should do the discovery step when adding, and add the correct
claimed_identifier. I suggest that this is good UX anyway, since the app
can then also say "Hey, this thing doesn't seem to be an OpenID
Identifier!".
More information about the general
mailing list