[security] HTTP and HTTPS URL issue (was RE: security)
Dan Lyke
danlyke at flutterby.com
Fri Oct 27 18:53:09 UTC 2006
On Fri, 27 Oct 2006 11:00:06 -0700, Josh Hoyt wrote:
> No, it doesn't. An attacker can make the HTTP URL redirect to a
> different HTTPS URL, but that does not hijack the good HTTPS URL or
> the original HTTP URL precisely because all three are different
> identifiers, not synonyms.
Aha.
Okay, so the IdP Endpoint URL that the User gets redirected to for
authentication is the same one from which the Relying Party retrieves
the User's credentials, thus as long as the User checks their address
bar when authenticating with the IdP Endpoint URL and the Relying
Party gets a CA to vouch for the IdP Endpoint URL, life is good.
Thus I was wrong in my earlier assertion and, in fact, it's the IdP
Endpoint URL that needs to be authenticated to both the User and the
Relying Party.
Dan
More information about the security
mailing list