[security] HTTP and HTTPS URL issue (was RE: security)

[Dan Lyke]

On Fri, 27 Oct 2006 10:57:25 -0700, Martin Atkins wrote:
> No, it does not. Compromising the HTTP URL does *not* compromise the
> HTTPS URL in any sense.

But if you have control over the DNS when the HTTP URL is requested  
(which is what HTTPS protects against in this instance), you can  
redirect it to any HTTPS URL you wish, and that resulting URL becomes  
the claimed identifier.

So if you have control over the DNS of both the user and the Relying  
Party, you social engineer the CA into issuing a dummy cert for the  
domain to whatever IP address you've hijacked (which, actually, means  
that HTTPS buys nothing in either case).

However...

If you can gain control over the DNS of *just* the Relying Party, then  
all you need is a host which has a valid certificate (which takes me  
back to my "hijacked PC, stolen credit card and a pay phone" comment),  
and you tell the Relying Party that all addresses are approved, then  
you can log in without having to validate yourself to the Identity  
Provider.

The only place in the protocol that HTTPS actually does substantial  
good is for the initial load of the Claimed Identifier (and things  
outside of OpenID's purview, like the user's conversation with their  
Identity Provider). After that, snooping buys you nothing and DNS  
control is nothing you couldn't do *more* damage with by controlling  
the Claimed Identifier.

Dan