[security] HTTP and HTTPS URL issue (was RE: security)

Gabe Wachob gabe.wachob at amsoft.net
Fri Oct 27 17:35:02 UTC 2006 

Now, I'm confused. 

HTTPS and HTTP URIs are different from each other because they are.
Different schemes - go read RFC 3696, 2616, et al...

BUT, if we treat them the same, then aren't we opening up a new security
issue? 

If we treat them the same, then if I enter and HTTPS URI, that means a RP is
free to use the HTTP URI? 

Surely we don't mean "same" - we mean that HTTP URIs are transformed into
HTTPS URIs before being used for discovery via a simple transform -
s/^http:/https:/ ?

	-Gabe

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Drummond Reed
> Sent: Friday, October 27, 2006 10:17 AM
> To: security at openid.net
> Cc: general at openid.net
> Subject: HTTP and HTTPS URL issue (was RE: security)
> 
> [Note: This thread is being moved to the security@ list. The general@
> list,
> where it originated, is being cc'd to notify everyone that discussion will
> proceed there. Please do not reply on the general list.]
> 
> >> On 10/26/06, Martin Atkins <mart at degeneration.co.uk> wrote:
> >>
> >>> Indeed, not long after I posted this I was reviewing the spec for
> other
> >>> reasons and found this:
> >>>
> >>>
> >> [spec quote about normalization snipped]
> >>
> >>> Note in particular the end of the first paragraph, which states simply
> >>> that one should prefix http://. HTTPS URLs must be spelled out as
> >>> https://, which is a bit of a shame (we're optimising for the insecure
> >>> case as far as users are concerned) but I can't think of any way to
> >>> securely support the short form of both http: and https: URLs.
> >>>
> >>Josh Hoyt wrote:
> >>
> >> Does this help?
> >>
> >> 12.4.1.  HTTP and HTTPS URL Identifiers
> >>
> >> Relying Parties MUST differentiate between URL Identifiers that have
> >> different schemes. When user input is processed into a URL, it is
> >> processed into a HTTP URL. If the same End User controls the same URL,
> >> differing only by scheme, and it is desired that the Identifier be the
> >> HTTPS URL, it is RECOMMENDED that a redirect be issued from the HTTP
> URL
> >> to the HTTPS URL. Because the HTTP and HTTPS URLs are not equivalent
> and
> >> the Identifier that is used is the URL after following redirects, there
> >> is no reduction in security when using this scheme.
> >> If an attacker could gain control of the HTTP URL, it would have no
> >> effect on the HTTPS URL, since the HTTP URL is not ever used as an
> >> Identifier.
> >>
> >> (http://openid.net/specs/openid-authentication-2_0-10.html#anchor39)
> >>
> >> Relying Parties MUST differentiate between URL Identifiers that have
> >> different schemes.
> >
> > Pete Rowley wrote:
> >
> >This is what allows the attack to be viable. This should be MUST NOT for
> >all parties, or in other words "URL identifiers differing in scheme MUST
> >be treated as equivalent for the purposes of identification."
> >
> >What were the reasons behind treating http and https identifiers as
> >unique from each other?
> 
> I agree with Pete. As elegant as it appears, there's a fatal flaw in this
> approach. If an attacker can gain control of an HTTP URL, they can CHANGE
> the HTTPS URL to which it points...
> 
> ...thereby completely stealing the identity.
> 
> The security implications of this are so important that I'm moving this
> thread over the security@ list. I propose we discuss it there until we
> come
> to a conclusion, then make sure that's reflected back to the general@
> list.
> 
> =Drummond
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the security mailing list