[security] HTTP vs HTTPS based OpenIDs

Andrew Arnott andrewarnott at gmail.com
Tue Dec 8 22:58:31 UTC 2009 

Your link to the OpenID best practices is wrong. :)  I suspect you meant
http://wiki.openid.net/OpenID-Security-Best-Practices

And anything short of what would satisfy the
RequireSsl<http://wiki.openid.net/RequireSsl-Profile?SearchFor=requiressl&sp=1>profile
opens the user up to identity spoofing via a DNS-poisoning attack.
 The entire discovery and authentication phase must be done over HTTPS to be
a secure login experience.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Tue, Dec 8, 2009 at 2:48 PM, Jacob Bellamy <toarms at gmail.com> wrote:

>
> Looking at the OpenID best practices
> (http://test-id.org/RP/IgnoresContentLocationHeader.aspx) , I see one part
> of interest:
> OpenID Providers are highly recommended to issue HTTPS Identifiers to their
> users.
>
> In practice however it looks as though most OpenID providers do not do
> this.
> Even Verisign's OpenID are prefixed by HTTP.
>
>  I've recently taken an interest in OpenID and set up my own OpenID
> provider
> using Atlassian's Crowd, and I have set it up so that both HTTP and HTTPS
> OpenIDs are available. In the case with the HTTP OpenIDs, I have the login
> page covered by SSL, but the rest is HTTP. The HTTPS OpenIDs are more
> ideal,
> but I have encountered a rather large number of sites which simply do not
> seem to accept them. For instance, none of the mediawiki sites using the
> OpenID extension listed http://www.mediawiki.org/wiki/OpenID seem to
> accept
> them, and neither does my locally hosted Wordpress page with their OpenID
> plugin. Both seem to be using the OpenIDEnabled php library, so it might be
> an issue with that.
>
> So, as far as I can tell there are three main approaches-
> 1. Use HTTP based OpenIDs and perform SSL for the login.
> 2. Use an HTTP based OpenIDs which delegates the authentication to the
> HTTPs
> version
> 3. Use an HTTPS based OpenID.
>
> Feel free to pipe in with any other alternatives that you can think of.
> So my question is what do you gain/lose with each option? Is 2 any less
> secure than 3?  Do you lose much by only performing SSL on the login?
> --
> View this message in context:
> http://old.nabble.com/HTTP-vs-HTTPS-based-OpenIDs-tp26685482p26685482.html
> Sent from the OpenID - Security mailing list archive at Nabble.com.
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091208/13c38b0d/attachment.htm>

More information about the security mailing list