[security] HTTP and HTTPS URL issue (was RE: security)
Josh Hoyt
josh at janrain.com
Fri Oct 27 18:00:06 UTC 2006
On 10/27/06, Dan Lyke <danlyke at flutterby.com> wrote:
> Just to be careful, the particular vulnerability that makes HTTPS
> desirable is that the DNS for the Claimed Identifier could be spoofed,
> and HTTPS would prevent that by having a Certificate Authority vouch
> for the association between the IP address and the name of the Claimed
> Identifier.
>
> Sooooo... having a redirect from an HTTP Claimed Identifier to an
> HTTPS Claimed Identifier breaks the reason for using HTTPS.
No, it doesn't. An attacker can make the HTTP URL redirect to a
different HTTPS URL, but that does not hijack the good HTTPS URL or
the original HTTP URL precisely because all three are different
identifiers, not synonyms.
URL identifiers in OpenID do not have synonyms. Redirects just act
like typing the target identifier into the original form.
> Security is hard.
It is.
Josh
More information about the security
mailing list