<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">

</head>

<body bgcolor="#ffffff" text="#000000">

Dmitry Shechtman wrote:

<blockquote cite="mid009201c7ca2d$7e036800$b0db17ac@a9a181c8860745f"

 type="cite">

  <pre wrap="">Thank you for your comments, John.

  </pre>

  <blockquote type="cite">

    <pre wrap="">In particular, if you see a 302 redirect on step (2) to an <a class="moz-txt-link-freetext" href="https://">https://</a> URL,

ignore it (susceptible to man-in-the-middle attack).

    </pre>

  </blockquote>

  <pre wrap=""><!---->

So should we distrust identifiers that redirect via plain HTTP?

  </pre>

</blockquote>

The attack vector:&nbsp; I poison your local DNS resolver, or proxy all

traffic, so that <a class="moz-txt-link-freetext" href="http://foo.blogspot.com">http://foo.blogspot.com</a> actually resolves to

<a class="moz-txt-link-freetext" href="http://evil.org">http://evil.org</a>'s IP.&nbsp; If you follow the 302 redirect, you could be

allowing evil.org to tell you what the "canonical" URL is.&nbsp; For example

it could do a 302 redirect over to <a class="moz-txt-link-freetext" href="https://evil.org">https://evil.org</a> which presents a

valid certificate and which can masquerade as the user's OP, capturing

their password.&nbsp; (For users who check URLs, it could be

<a class="moz-txt-link-freetext" href="https://my.open1d.org">https://my.open1d.org</a> instead of <a class="moz-txt-link-freetext" href="https://evil.org">https://evil.org</a>.)<br>

<br>

If you use https throughout, the DNS attack will fail because

<a class="moz-txt-link-freetext" href="https://foo.blogspot.com">https://foo.blogspot.com</a> can't present a valid certificate for

foo.blogspot.com.<br>

<blockquote cite="mid009201c7ca2d$7e036800$b0db17ac@a9a181c8860745f"

 type="cite">

  <pre wrap="">

  </pre>

  <blockquote type="cite">

    <pre wrap="">And the above applies both to an OpenID URL itself and any URLs that 

resource delegates to via &lt;link&gt;.

    </pre>

  </blockquote>

  <pre wrap=""><!---->

I don't see why delegates should get any special treatment. In fact, it

looks like the security add-on should be completely delegation-blind.

  </pre>

</blockquote>

(Same argument as above for 302 redirects.)&nbsp; Note that this is a fairly

difficult attack but we are talking about security-conscious RPs here.<br>

<blockquote cite="mid009201c7ca2d$7e036800$b0db17ac@a9a181c8860745f"

 type="cite">

  <pre wrap="">

Regards,

Dmitry

=damnian

  </pre>

</blockquote>

<br>

</body>

</html>