[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Sean Reilly
sreilly at cnri.reston.va.us
Fri Jan 11 15:12:41 UTC 2008
I think the point is that OpenIDs should start with https: so that
there is no http->https redirection needed. If any step of the
process goes through a normal http exchange/redirect then there is a
weak link in the chain where a bad guy could take over the
authentication.
Or maybe I'm missing something having jumped into the middle of the
conversation.
cheers,
sean
More information about the general
mailing list