[OpenID] Bug in OpenID RP implementations
Eric Norman
ejnorman at doit.wisc.edu
Fri Jan 2 04:13:38 UTC 2009
On Jan 1, 2009, at 8:34 PM, Andrew Arnott wrote:
> Eric,
>
> I think you missed Martin's point. If an RP considered http://me and
> https://me to be the same identity, then although I log myself in as
> https://me for security, someone else could log into that RP and spoof
> my identity simply by DNS poisoning the RP and then logging in as
> http://me.
The phrase used was "... can represent ..."; see below.
> Because RPs consider http and https URLs that are otherwise identical
> to be different identities, then by myself signing in with https://me,
> someone who compromises an RPs DNS server and logs in as http://me
> won't be able to spoof my identity worth anything.
So just what is your point here? Are you saying that it
should be either one or the other, but not both? Or are
you actually arguing that both should be allowed and
indeed refer to different entities?
And if there's a choice to be made, who makes it?
Or perhaps I should put it this way if you consider the
DNS poisoning argument compelling.
Shame on the OpenID community for designing a protocol
that is insecure from its birth (by using http). And
with no easy way to fix it.
Eric Norman
More information about the general
mailing list