[OpenID] Reconsidering http://openid different from https://openid
John Panzer
jpanzeracm at johnpanzer.com
Sat Sep 29 16:06:29 UTC 2007
Lukas Rosenstock wrote:
> Am 29.09.2007, 03:44 Uhr, schrieb John Panzer <jpanzeracm at johnpanzer.com>:
>
>> Then I'm confused. If you do a redirect over http, a MITM attacker can
>> modify the response and show the user what appears to be their OP and
>> collect their password, right? That is, if the point of redirecting to
>> https is to prevent MITM attacks, but the initial redirect itself is
>> vulnerable to MITM, what have you gained?
>
>
> User logs in for the first time, enters http://myid/, gets redirected
> to https://myid/ (this identity is "SSL-validated" and can not be taken
> over) and is signed up as https://myid/. All an attacker in control of
> http://myid/ can do is redirect to https://myid.fakeserver/ which is
> obviously != https://myid/. So a new account for
> https://myid.fakeserver/ would be created on the RP, the original
> account is still safe.
Except that the user entered their password into the OP associated with
https://myid.fakeserver, so the original account is completely
compromised. Also, the user associates their other account information
(email address, credit card #, etc.) with https://myid.fakeserver rather
than their true OpenID.
More information about the general
mailing list