[OpenID] Mis-using generation identifiers to request SSL treatment
Martin Atkins
mart at degeneration.co.uk
Mon Nov 3 05:57:24 UTC 2008
SitG Admin wrote:
>
> Indeed. Yet how well have we done at communicating this to users? How
> consistently do they enter their secure URI instead of omitting the
> prefix entirely? Solutions have been suggested, if I'm not mistaken,
> such as detecting incoming requests from RP's to the HTTP page and
> redirecting them to the HTTPS version, or having OpenID headers stating
> that only the HTTPS version should be used for OpenID - but what if the
> RP contacts a hostile server because its initial request was not secure?
>
Having a http: URL redirect to an https: URL is secure even if the http:
URL is compromised, because the redirect "canonicalizes" the claimed
identity to the https: URL.
While an attacker can in theory compromise the http: URL and make it
redirect somewhere else or not redirect at all, since the user's
accounts are tied to the https: URL they don't gain access to these
accounts.
More information about the general
mailing list