[OpenID] [LIKELY_SPAM]Re: Problems with delegation and directed identity OPs
Peter Watkins
peterw at tux.org
Thu Nov 6 21:34:36 UTC 2008
On Thu, Nov 06, 2008 at 03:39:21PM -0500, Deron Meranda wrote:
> Yes, I agree. I'm still just playing with it, but I was pretty sure
> that security could be compromised if SSL wasn't used during
> delegation discovery.
SSL/TLS ought to be used throughout. It's nice if the discovery URL
has https protection, but what's the point if the OP endpoint uses
http and is therefore vulnerable to MITM? Sure, it's more complex
than simple browser-website MITM, but https certs and CPUs are cheap,
so these attack vectors ought not exist anymore.
The other day I wanted to test XRI with the app I'm working on, and I
don't want to pay $ for an iname, so I plugged in the = nym for a
prominent member of the OpenID community. IIUC, the XRI spec requires
the first stage of XRI discovery to use https. But the login page I
ended up at used plain old http. And the <form> didn't even specify
an https action to receive the password it requested! (Yes, I emailed
the iname owner about it.) My app had good reason to believe that it
knew the correct hostname to contact, but beyond that, no crypto assurance.
> Even then, it seems that some RPs don't really do SSL correctly;
> they don't completely validate the SSL certificates against a
> trusted list of root CAs. So if self-signed SSL certs don't raise
> any warnings; then SSL is sort of compromised anyway.
>
>
> It's things like this that really need to get documented.
Agreed. It'd be nice to set some system up for testing; for this
specific test, at least the https cert wouldn't cost anything. :-)
-Peter
More information about the general
mailing list