[security] HTTP vs HTTPS based OpenIDs
Jacob Bellamy
toarms at gmail.com
Tue Dec 8 22:48:39 UTC 2009
Looking at the OpenID best practices
(http://test-id.org/RP/IgnoresContentLocationHeader.aspx) , I see one part
of interest:
OpenID Providers are highly recommended to issue HTTPS Identifiers to their
users.
In practice however it looks as though most OpenID providers do not do this.
Even Verisign's OpenID are prefixed by HTTP.
I've recently taken an interest in OpenID and set up my own OpenID provider
using Atlassian's Crowd, and I have set it up so that both HTTP and HTTPS
OpenIDs are available. In the case with the HTTP OpenIDs, I have the login
page covered by SSL, but the rest is HTTP. The HTTPS OpenIDs are more ideal,
but I have encountered a rather large number of sites which simply do not
seem to accept them. For instance, none of the mediawiki sites using the
OpenID extension listed http://www.mediawiki.org/wiki/OpenID seem to accept
them, and neither does my locally hosted Wordpress page with their OpenID
plugin. Both seem to be using the OpenIDEnabled php library, so it might be
an issue with that.
So, as far as I can tell there are three main approaches-
1. Use HTTP based OpenIDs and perform SSL for the login.
2. Use an HTTP based OpenIDs which delegates the authentication to the HTTPs
version
3. Use an HTTPS based OpenID.
Feel free to pipe in with any other alternatives that you can think of.
So my question is what do you gain/lose with each option? Is 2 any less
secure than 3? Do you lose much by only performing SSL on the login?
--
View this message in context: http://old.nabble.com/HTTP-vs-HTTPS-based-OpenIDs-tp26685482p26685482.html
Sent from the OpenID - Security mailing list archive at Nabble.com.
More information about the security
mailing list