[security] HTTP and HTTPS URL issue (was RE: security)
Dan Lyke
danlyke at flutterby.com
Fri Oct 27 17:50:45 UTC 2006
On Fri, 27 Oct 2006 10:36:43 -0700, Martin Atkins wrote:
> They can steal the HTTP URL, but they cannot steal the
> HTTPS URL. OpenID canonicalization rules state that if
> the user enters http://something/ and it redirects,
> that the *target* URL is what you use as the claimed
> identifier.
Just to be careful, the particular vulnerability that makes HTTPS
desirable is that the DNS for the Claimed Identifier could be spoofed,
and HTTPS would prevent that by having a Certificate Authority vouch
for the association between the IP address and the name of the Claimed
Identifier.
Sooooo... having a redirect from an HTTP Claimed Identifier to an
HTTPS Claimed Identifier breaks the reason for using HTTPS.
Security is hard.
Dan
(Not doing a terribly good job of arguing against HTTPS in this
instance, but trying to be fair to all sides.)
More information about the security
mailing list