[OpenID] Reconsidering http://openid different from https://openid
J Panzer
jpanzer at acm.org
Fri Sep 28 15:10:09 UTC 2007
Martin Atkins wrote:
> Johannes Ernst wrote:
>
>>I'm one of the guys who actually maintains an ACL (Access Control List)
>>based on OpenID identities. The process works like this:
>> - Customer: hey, I'd like access to your website
>> - Me: sure, send me your OpenID
>> - Customer: foo.bar.com
>> - Me: adding http://foo.bar.com/ to the ACL
>> - Customer: hey, I tried but it doesn't work
>> - Me (diagnosing): that's because you entered 'https://foo.bar.com/'
>>and not 'http://foo.bar.com/".
>>
>>This happens in a surprisingly large number of cases.
>>
>
>
> I believe the recommended pattern is to have the http: form redirect to
> the https: form, thus allowing foo.bar.com to be entered:
>
> * Consumer normalizes to http://foo.bar.com/
> * Consumer gets redirected to https://foo.bar.com/
If an attacker can compromise the http version, and redirects to
https://foo.bar.com.evil.org in this step, there should be an error
displayed, right? Shouldn't this be documented explicitly?
More information about the general
mailing list