[OpenID] RPs accepting https:// identifiers
Martin Atkins
mart at degeneration.co.uk
Mon Aug 11 20:31:26 UTC 2008
Gerald Beuchelt wrote:
>
> In a nutshell, we would like to require all users to use https://
> prefixed OpenID identifier, so that RPs normalize and discover over
> HTTPS, instead of HTTP. The obvious issue is that -- to my knowledge --
> https://openid.sun.com/user != http://openid.sun.com/user. At this point
> I see an opportunity for the OpenID community to address some of the
> recent vulnerabilities: if RPs started to recognize both https:// and
> http:// prefixed identifiers as the same entity, or at least allowed
> easy linking, users could migrate with a lot more ease.
It's worth noting that allowing http://example.com/ to redirect to
https://example.com/ as per the spec does not create a vulnerability for
https://example.com/. Due to the non-equivalence of the two, an attacker
that compromises http://example.com/ has not also compromised
https://example.com/. Were RPs to consider the http: and https: URLs
equivalent, this would actually defeat the security provided by SSL
since an attacker could attack the http: URL and compromise the https:
URL for free.
Therefore I would advise that if you are going to allow only https:
identifiers that you consider the "final URL" after discovery, rather
than the initial URL the user enters. This would allow the OP to
redirect the non-SSL version to the SSL version of the identifier, which
is something that most SSL-supporting OPs do already and I think is
considered to be a best practice.
More information about the general
mailing list