[security] HTTP and HTTPS URL issue (was RE: security)
Martin Atkins
mart at degeneration.co.uk
Fri Oct 27 18:00:54 UTC 2006
Drummond Reed wrote:
>
> Which brings us back to the original point, which is that if the attacker
> can compromise the user's HTTP URL, they can instead substitute the location
> of the XRDS document, and thus authenticate to the user's HTTP URL, thereby
> gaining access to resources that the user has secured under that identifier.
>
> Would you agree that to prevent against THAT attack, a user must be using an
> HTTPS URL?
>
Yes. This is a potential attack on an HTTP identifier URL, but it has
nothing to do with the HTTP URL redirecting to HTTPS, and doesn't affect
the security of the "matching" HTTPS identifier.
More information about the security
mailing list