[OpenID] Reconsidering http://openid different from https://openid
Lukas Rosenstock
lukas.rosenstock at identity20.eu
Sat Sep 29 08:38:40 UTC 2007
Am 29.09.2007, 03:44 Uhr, schrieb John Panzer <jpanzeracm at johnpanzer.com>:
> Then I'm confused. If you do a redirect over http, a MITM attacker can
> modify the response and show the user what appears to be their OP and
> collect their password, right? That is, if the point of redirecting to
> https is to prevent MITM attacks, but the initial redirect itself is
> vulnerable to MITM, what have you gained?
User logs in for the first time, enters http://myid/, gets redirected to
https://myid/ (this identity is "SSL-validated" and can not be taken over)
and is signed up as https://myid/. All an attacker in control of
http://myid/ can do is redirect to https://myid.fakeserver/ which is
obviously != https://myid/. So a new account for https://myid.fakeserver/
would be created on the RP, the original account is still safe.
Have you taken a look at OpenID implementations, afaik there are some who
do NOT do the redirect (or actually do it, but still take the entered URL
as identifier - those would be vulnerable).
--
Lukas Rosenstock
Identity 2.0 Europe :: http://identity20.eu/
More information about the general
mailing list