[security] HTTP vs HTTPS based OpenIDs

Trevor Johns trevor at tjohns.net
Tue Dec 8 23:19:55 UTC 2009 

On Tue, 8 Dec 2009 14:48:39 -0800 (PST), Jacob Bellamy <toarms at gmail.com>
wrote:
> 
> Looking at the OpenID best practices
> (http://test-id.org/RP/IgnoresContentLocationHeader.aspx) , I see one
part
> of interest:
> OpenID Providers are highly recommended to issue HTTPS Identifiers to
their
> users.  
> 
> In practice however it looks as though most OpenID providers do not do
> this.
> Even Verisign's OpenID are prefixed by HTTP.

Verisign's OpenIDs will work with either. I use them with HTTPS
exclusively.

>  I've recently taken an interest in OpenID and set up my own OpenID
> provider
> using Atlassian's Crowd, and I have set it up so that both HTTP and HTTPS
> OpenIDs are available. In the case with the HTTP OpenIDs, I have the
login
> page covered by SSL, but the rest is HTTP. The HTTPS OpenIDs are more
> ideal,
> but I have encountered a rather large number of sites which simply do not
> seem to accept them. For instance, none of the mediawiki sites using the
> OpenID extension listed http://www.mediawiki.org/wiki/OpenID seem to
accept
> them, and neither does my locally hosted Wordpress page with their OpenID
> plugin. Both seem to be using the OpenIDEnabled php library, so it might
be
> an issue with that.

In my experience, most of the libraries (including the one for MediaWiki,
at least as of a year ago) handle HTTPS properly. The problem is usually
related to the environment of people *using* the libraries.

Since there's so few HTTPS OpenIDs out there, it just never gets tested.

> So, as far as I can tell there are three main approaches-
> 1. Use HTTP based OpenIDs and perform SSL for the login.
> 2. Use an HTTP based OpenIDs which delegates the authentication to the
> HTTPs
> version
> 3. Use an HTTPS based OpenID.
> 
> Feel free to pipe in with any other alternatives that you can think of.
> So my question is what do you gain/lose with each option? Is 2 any less
> secure than 3?  Do you lose much by only performing SSL on the login? 

Using HTTP anywhere in the OpenID flow is bad. Period.

That being said, how bad depends on what an attacker can get access to.

(For example, an HTTP OpenID provider with HTTPS login will protect you
against an attack on your end of the connection, but won't protect you
against an attacker intercepting traffic between the RP and OP.)

-- 
Trevor Johns
http://tjohns.net

More information about the security mailing list