[security] HTTP and HTTPS URL issue (was RE: security)
Martin Atkins
mart at degeneration.co.uk
Fri Oct 27 17:57:25 UTC 2006
Dan Lyke wrote:
> On Fri, 27 Oct 2006 10:36:43 -0700, Martin Atkins wrote:
>> They can steal the HTTP URL, but they cannot steal the
>> HTTPS URL. OpenID canonicalization rules state that if
>> the user enters http://something/ and it redirects,
>> that the *target* URL is what you use as the claimed
>> identifier.
>
> Just to be careful, the particular vulnerability that makes HTTPS
> desirable is that the DNS for the Claimed Identifier could be spoofed,
> and HTTPS would prevent that by having a Certificate Authority vouch
> for the association between the IP address and the name of the Claimed
> Identifier.
>
> Sooooo... having a redirect from an HTTP Claimed Identifier to an
> HTTPS Claimed Identifier breaks the reason for using HTTPS.
>
No, it does not. Compromising the HTTP URL does *not* compromise the
HTTPS URL in any sense.
The HTTP URL is compromised, but the user hasn't been using that as an
identifier anyway, and we consider the HTTP and HTTPS URLs to be
distinct. We consider them to be distinct for this very reason, in fact.
More information about the security
mailing list