[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

Martin Atkins mart at degeneration.co.uk
Fri Jan 2 21:41:30 UTC 2009 

Martin Paljak wrote:
> 
> On 02.01.2009, at 3:49, Martin Atkins wrote:
>>>
>> Two URLs that differ only in that the scheme is https vs. http  
>> *must* be
>> considered to be different, otherwise any security benefits offered by
>> using https are rendered ineffective. (You could just compromise the
>> non-SSL version, ignoring the SSL version.)
> 
> I've never quite understood the security or inherent "trust" of the  
> current PKI/HTTPS scheme. I know that most of the talk here is about  
> average users and actual risks have been small in 2008 and are  
> hopefully going to be small in 2009 as well, but the comforting signal  
> of "no-no, everything is just fine, nothing to see here, no reason to  
> worry, just pay more for EV certs and everything is magically going to  
> be just fine" from the CA industry and some folks, remind me the  
> (sorry for the comparison ... ) credit industry, which long tried to  
> and suggested to fix the now "apparently fundamental problems in the  
> financial system" with just more loan money. We all know what  
> eventually happened...
> 
[snip]

Note that was very careful in my phrasing to say "...any security 
benefits offered". I think we're all agreed that SSL is not a panacea, 
but any benefits it *does* offer (and I hope we can agree that it is 
better than cleartext HTTP, despite not being perfect) are rendered moot 
if we consider two URLs that differ only in scheme to be equivalent.

Providers that have been around for a while, like MyOpenID, 
unfortunately had to live through OpenID's bootstrapping period while 
library quality was low, SSL client support at relying parties was 
unreliable, and so non-SSL identifiers had to be available. They now 
find themselves in the unfortunate position of being unable to migrate 
to SSL. However, new providers (and new identifiers issued by existing 
providers) can now use SSL and only SSL, and make the HTTP identifers 
simply redirect to HTTPS, which avoids the usability hurdle of making 
users type https: while preserving the benefits of using SSL.

More information about the general mailing list