[OpenID] Reconsidering http://openid different from https://openid
John Panzer
jpanzeracm at johnpanzer.com
Sat Sep 29 01:44:13 UTC 2007
Paul C. Bryan wrote:
> On Fri, 2007-09-28 at 08:10 -0700, J Panzer wrote:
>
>
>>If an attacker can compromise the http version, and redirects to
>>https://foo.bar.com.evil.org in this step, there should be an error
>>displayed, right? Shouldn't this be documented explicitly?
>
>
> I don't think the redirect should be validated in any way -- because the
> URL the user is typing in (which will redirect) will not be the
> identifier used by the consumer. It should be the URL ultimately
> resolved in the redirect.
Then I'm confused. If you do a redirect over http, a MITM attacker can
modify the response and show the user what appears to be their OP and
collect their password, right? That is, if the point of redirecting to
https is to prevent MITM attacks, but the initial redirect itself is
vulnerable to MITM, what have you gained?
More information about the general
mailing list