[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

Martin Paljak martin at paljak.pri.ee
Fri Jan 2 21:56:11 UTC 2009 

Martin, I should have started a new thread for my rant but this  
discussion just happened triggered my typing flood.


"A New Way to look at Networking" @ http://video.google.com/videoplay?docid=-6972678839686672840

Around 59:00 is a nice slide about Security.

The whole talk is actually very enlightening.

m.
On 02.01.2009, at 23:41, Martin Atkins wrote:

> Martin Paljak wrote:
>>
>> On 02.01.2009, at 3:49, Martin Atkins wrote:
>>>>
>>> Two URLs that differ only in that the scheme is https vs. http
>>> *must* be
>>> considered to be different, otherwise any security benefits  
>>> offered by
>>> using https are rendered ineffective. (You could just compromise the
>>> non-SSL version, ignoring the SSL version.)
>>
>> I've never quite understood the security or inherent "trust" of the
>> current PKI/HTTPS scheme. I know that most of the talk here is about
>> average users and actual risks have been small in 2008 and are
>> hopefully going to be small in 2009 as well, but the comforting  
>> signal
>> of "no-no, everything is just fine, nothing to see here, no reason to
>> worry, just pay more for EV certs and everything is magically going  
>> to
>> be just fine" from the CA industry and some folks, remind me the
>> (sorry for the comparison ... ) credit industry, which long tried to
>> and suggested to fix the now "apparently fundamental problems in the
>> financial system" with just more loan money. We all know what
>> eventually happened...
>>
> [snip]
>
> Note that was very careful in my phrasing to say "...any security
> benefits offered". I think we're all agreed that SSL is not a panacea,
> but any benefits it *does* offer (and I hope we can agree that it is
> better than cleartext HTTP, despite not being perfect) are rendered  
> moot
> if we consider two URLs that differ only in scheme to be equivalent.
>
> Providers that have been around for a while, like MyOpenID,
> unfortunately had to live through OpenID's bootstrapping period while
> library quality was low, SSL client support at relying parties was
> unreliable, and so non-SSL identifiers had to be available. They now
> find themselves in the unfortunate position of being unable to migrate
> to SSL. However, new providers (and new identifiers issued by existing
> providers) can now use SSL and only SSL, and make the HTTP identifers
> simply redirect to HTTPS, which avoids the usability hurdle of making
> users type https: while preserving the benefits of using SSL.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-- 
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495

More information about the general mailing list