[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Trevor Johns
trevor at tjohns.net
Wed Jan 16 07:29:53 UTC 2008
On Jan 15, 2008, at 9:50 PM, Hans Granqvist wrote:
> Of course, a pretty simple attack is RP getting a domain, such as
> http://verislgnlabs.com/, and a cheap cert that chains to
> 99.9% of trusted browser roots, and then silently rewriting your
> URL to fit.
This is a known vulnerability. It can be prevented by carefully
verifying the URL before you enter your password.
I'll readily admit that this doesn't work for regular users who can't
be bothered to read dialogs, much less manually verify (potentially
obfuscated) URLs. But this is where things like Verisign's Seatbelt,
client-side X.509 certs, and out-of-band authentication come into play.
And this problem isn't unique to OpenID, there's a lot of research in
the UI and security fields aiming to improve this.
> OpenID aware browsers or add-ons could help. OPs that use
> OTPs, challenge response, biometrics, etc. could also help. But
> is it even feasible to force their use?
This is what the PAPE extension provides. However, PAPE only provides
advisory information -- it can easily be circumvented by a user who
really doesn't want to use stronger security.
--
Trevor Johns
http://tjohns.net
More information about the general
mailing list