<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Immad,<br>
<br>
I would say yes, https does make it significantly harder to do man in
the middle. In the absence of SSL, OpenID with DH is vulnerable to DNS
attacks. HTTPS assuming, as Peter mentioned, decent ciphersuites and
careful cert management, and full https compliance, makes it
significantly more difficult for an attacker to impersonate an OP.<br>
<br>
Cheers,<br>
<br>
Pat<br>
<br>
Immad Akhund wrote:
<blockquote
cite="mid1a338f430706140924j11cb05a1m83ceefba8b707c99@mail.gmail.com"
type="cite">thanks for the quick advice.<br>
<br>
Given that diffie hellman is
conducted with the openid provider is there actually any additional
security benefit with using https to communicate with the openid
provider? Does it make it significantly harder to do man in the middle
attacks (if thats its purpose)?
<br>
<br>
I hadn't considered that the identity could be under https but
the server not and vice-versa. Where would you see as the biggest
security benefit to use https?<span class="q"><br>
<br>
<blockquote
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"
class="gmail_quote">Sxipper also uses SSL, both for the OP-endpoint
and for identifiers.<br>
For the OP-endpoint we've also defined a lower priority HTTP service<br>
endpoint.</blockquote>
</span>
<div><br>
Do
consumers actually go to the lower priority http service endpoint
automatically if they fail in using the https service? Is this
specified in the protocol?
<br>
</div>
<br>
Thanks again,<br>
<span class="sg">Immad</span><br>
<br>
<div><span class="gmail_quote">On 13/06/07, <b
class="gmail_sendername">Johnny Bufu</b> <<a
href="mailto:johnny@sxip.com">johnny@sxip.com</a>> wrote:
</span>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
On 13-Jun-07, at 2:03 PM, Josh Hoyt wrote:<br>
<br>
>> Are there examples of https openid provider out their? (this
might
<br>
>> be a<br>
>> silly question)<br>
><br>
> MyOpenID.com supports SSL, but works both ways. For example, both<br>
> <a href="https://josh.myopenid.com/">https://josh.myopenid.com/</a>
and <a href="http://josh.myopenid.com/">
http://josh.myopenid.com/</a> work.<br>
<br>
Sxipper also uses SSL, both for the OP-endpoint and for identifiers.<br>
For the OP-endpoint we've also defined a lower priority HTTP service<br>
endpoint.<br>
<br>
Identifiers are HTTPS-only though; providing both HTTP and HTTPS
<br>
identifiers to a user may confuse them, because they will end up<br>
using different identities if they log into an RP by presenting<br>
"<a href="http://user.op.com">user.op.com</a>" vs "<a
href="https://user.op.com">
https://user.op.com</a>".<br>
<br>
<br>
Johnny<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Cell: +1 617 449 8654<br>
Skype: i.akhund<br>
Blog: <a href="http://immadsnewworld.blogspot.com">http://immadsnewworld.blogspot.com
</a>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Pat Patterson - <a class="moz-txt-link-abbreviated" href="mailto:pat.patterson@sun.com">pat.patterson@sun.com</a>
Federation Architect,
Sun Microsystems, Inc.
<a class="moz-txt-link-freetext" href="http://blogs.sun.com/superpat">http://blogs.sun.com/superpat</a>
</pre>
</body>
</html>