[security] Phishing issues with return_to url and realm

[Dick Hardt]

On 8-Feb-07, at 5:29 PM, Allen Tom wrote:

> Hi Dick,
>
> Redirect services won't redirect a POST, or at least not the POST  
> data. One potential issue with using POST is that Javascript is  
> required to submit the POST automatically which prevents non-JS  
> enabled clients from using the service.

Agreed. But POST is needed as soon as the payload gets large.

>
> I also believe that there are may be some usability issues with  
> submitting a form via HTTP from a form on an HTTPS site. This is  
> the case where an HTTPS OP POSTs the response to an HTTP RP. Some  
> browsers, most notably IE, display a scary warning dialog box when  
> this happens, however, just doing a redirect doesn't cause the same  
> warning.

The solution is to transition to HTTP with a GET redirect before  
doing an HTTP post to an HTTP speaking RP. Since the RP is HTTP, HTTP  
to the OP at this stage is not any less secure. We did this with SXIP

>
> Even using POST doesn't get away from the original issue where the  
> OP is telling the user that they're logging into site X, but  
> they're not. Philosophically, I believe that users need to trust  
> their OP. If return_to verification isn't done, then the OP isn't  
> really sure where it's sending the response.

Agreed that RP identification is useful. There is another thread  
about how the RP identifies themselves, with models similar to what  
MS did in CardSpace with signed graphics.

I think there is merit to your suggestion about the OP checking the  
return_to and would like to continue that discussion!

-- Dick