[OpenID] Reconsidering http://openid different from https://openid

Pat Patterson Andrew.Patterson at Sun.COM
Sat Sep 29 14:43:21 UTC 2007 

There's been something nagging at me through this discussion: the RP  
seems to be following the trail all the way to the user's IdP. I  
thought the user could do some delegation, so there is indirection  
between the provided URL and the actual URL at the IdP, the benefit  
being that I remain in control of (say) http://someblog.blogspot.com/  
and I can move my actual IdP account from someidp.com to abetteridp.com.

What happens to all this if the RP is supposed to follow the rabbit  
trail to the bottom and store someidp.com. When I get a better del  
from abetteridp.com, I'm stuck, am I not?

Cheers,

Pat

On Sep 29, 2007, at 1:38 AM, Lukas Rosenstock wrote:

> Am 29.09.2007, 03:44 Uhr, schrieb John Panzer  
> <jpanzeracm at johnpanzer.com>:
>
>> Then I'm confused. If you do a redirect over http, a MITM attacker  
>> can
>> modify the response and show the user what appears to be their OP and
>> collect their password, right?  That is, if the point of  
>> redirecting to
>> https is to prevent MITM attacks, but the initial redirect itself is
>> vulnerable to MITM, what have you gained?
>
> User logs in for the first time, enters http://myid/, gets  
> redirected to
> https://myid/ (this identity is "SSL-validated" and can not be  
> taken over)
> and is signed up as https://myid/. All an attacker in control of
> http://myid/ can do is redirect to https://myid.fakeserver/ which is
> obviously != https://myid/. So a new account for https:// 
> myid.fakeserver/
> would be created on the RP, the original account is still safe.
> Have you taken a look at OpenID implementations, afaik there are  
> some who
> do NOT do the redirect (or actually do it, but still take the  
> entered URL
> as identifier - those would be vulnerable).
>
> -- 
> Lukas Rosenstock
> Identity 2.0 Europe :: http://identity20.eu/
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

- - - - -
Pat Patterson
Federation Architect, Sun Microsystems, Inc.
pat.patterson at sun.com - http://blogs.sun.com/superpat
- - - - -
Join OpenSSO today! http://opensso.dev.java.net/
- - - - -

More information about the general mailing list