[security] HTTP and HTTPS URL issue (was RE: security)
Martin Atkins
mart at degeneration.co.uk
Fri Oct 27 18:27:29 UTC 2006
Dan Lyke wrote:
> On Fri, 27 Oct 2006 10:57:25 -0700, Martin Atkins wrote:
>> No, it does not. Compromising the HTTP URL does *not* compromise the
>> HTTPS URL in any sense.
>
> But if you have control over the DNS when the HTTP URL is requested
> (which is what HTTPS protects against in this instance), you can
> redirect it to any HTTPS URL you wish, and that resulting URL becomes
> the claimed identifier.
>
All you achieve in that case is (at worst) causing the legitimate user
to log in as a different identifier.
> So if you have control over the DNS of both the user and the Relying
> Party, you social engineer the CA into issuing a dummy cert for the
> domain to whatever IP address you've hijacked (which, actually, means
> that HTTPS buys nothing in either case).
>
Well that just darned obvious. You've basically said "if you can
compromise SSL then SSL is useless".
We've got a limited amount of options for increasing security of OpenID
transactions. Social engineering or not, SSL adds another obstacle to
the attack; the more obstacles the better! Defense in depth, and all that.
More information about the security
mailing list