[OpenID] Bug in OpenID RP implementations

Andrew Arnott andrewarnott at gmail.com
Fri Jan 2 02:34:05 UTC 2009 

Eric,

I think you missed Martin's point.  If an RP considered http://me and
https://me to be the same identity, then although I log myself in as
https://me for security, someone else could log into that RP and spoof my
identity simply by DNS poisoning the RP and then logging in as http://me.

Because RPs consider http and https URLs that are otherwise identical to be
different identities, then by myself signing in with https://me, someone who
compromises an RPs DNS server and logs in as http://me won't be able to
spoof my identity worth anything.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 6:59 PM, Eric Norman <ejnorman at doit.wisc.edu> wrote:

>
> On Jan 1, 2009, at 7:49 PM, Martin Atkins wrote:
>
> > Eric Norman wrote:
> >> On Jan 1, 2009, at 6:40 PM, Martin Atkins wrote:
> >>
> >>> OpenID really needs a way to migrate from one identifier to another
> >>> without breaking the connection to existing accounts.
> >>
> >> If RPs do indeed include the "http(s)://" as part of their
> >> account identifiers, then yep, there's a migration problem.
> >>
> >> In any case, I suggest that y'all rethink the notion that
> >> URLs that only differ by that "s" can represent different
> >> entities.  I note that the above statement about what
> >> OpenID needs makes an implicit assumption that such URLs
> >> would represent the same entity.
> >>
> >
> > Two URLs that differ only in that the scheme is https vs. http *must*
> > be
> > considered to be different, otherwise any security benefits offered by
> > using https are rendered ineffective. (You could just compromise the
> > non-SSL version, ignoring the SSL version.)
>
> Of course they're different.  You can tell that just
> by looking at them.  The point is that that doesn't
> mean that they have to represent (identify) different
> entities.  Math geek language: there are mappings that
> aren't injective (one-to-one).
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/e4154340/attachment-0002.htm>

More information about the general mailing list