[OpenID] Reconsidering http://openid different from https://openid

George Fletcher gffletch at aol.com
Fri Sep 28 13:14:03 UTC 2007 

So, just to make sure I've got the best practices from this thread...

1. OPs: Support HTTPS and always redirect the http version to the https 
version

2. RPs: When adding an OpenID to an ACL always do the claimed_id 
normalization step

3. Users:
    a. Pick a "good" OP that does step 1
    b. When someone asks for your OpenID just given them the URL without 
the scheme

Thanks,
George

Martin Atkins wrote:
> Johannes Ernst wrote:
>   
>> I'm one of the guys who actually maintains an ACL (Access Control List) 
>> based on OpenID identities. The process works like this:
>>  - Customer: hey, I'd like access to your website
>>  - Me: sure, send me your OpenID
>>  - Customer: foo.bar.com
>>  - Me: adding http://foo.bar.com/ to the ACL
>>  - Customer: hey, I tried but it doesn't work
>>  - Me (diagnosing): that's because you entered 'https://foo.bar.com/' 
>> and not 'http://foo.bar.com/".
>>
>> This happens in a surprisingly large number of cases.
>>
>>     
>
> I believe the recommended pattern is to have the http: form redirect to 
> the https: form, thus allowing foo.bar.com to be entered:
>
>   * Consumer normalizes to http://foo.bar.com/
>   * Consumer gets redirected to https://foo.bar.com/
>   * Consumer uses https://foo.bar.com/ as claimed_identifier.
>
> If the non-SSL URL is later compromised in some way (it doesn't use SSL, 
> after all!), this doesn't provide the attacker access to the https: 
> version since they are distinct.
>
> Considering the two to be equivilent is a security flaw, since it means 
> that an attacker can compromise the http: version and gain access to 
> accounts that are using the https: version.
>
> The change required in your case is that your app (which is managing the 
> ACL) should do the discovery step when adding, and add the correct 
> claimed_identifier. I suggest that this is good UX anyway, since the app 
> can then also say "Hey, this thing doesn't seem to be an OpenID 
> Identifier!".
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>   

-- 
Chief Architect                   AIM:  gffletch
Identity Services                 Work: george.fletcher at corp.aol.com
AOL LLC                           Home: gffletch at aol.com
Mobile: +1-703-462-3494
Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com

More information about the general mailing list