[OpenID] Reconsidering http://openid different from https://openid
Paul C. Bryan
email at pbryan.net
Fri Sep 28 17:24:34 UTC 2007
On Fri, 2007-09-28 at 08:10 -0700, J Panzer wrote:
> If an attacker can compromise the http version, and redirects to
> https://foo.bar.com.evil.org in this step, there should be an error
> displayed, right? Shouldn't this be documented explicitly?
I don't think the redirect should be validated in any way -- because the
URL the user is typing in (which will redirect) will not be the
identifier used by the consumer. It should be the URL ultimately
resolved in the redirect.
Paul
More information about the general
mailing list