[security] HTTP vs HTTPS based OpenIDs
Jonathan Coffman
jonathan.coffman at gmail.com
Wed Dec 9 03:54:45 UTC 2009
I can say at least for our internal OP we're using HTTPS throughout,
but definitely have noticed in my exploits across the web that it
varies a lot between RPs.
Anything that can be done to drive toward being more secure is a good
thing (and I suspect is ultimately a better user experience anyway).
-Jonathan
On Dec 8, 2009, at 6:45 PM, Trevor Johns wrote:
> On Tue, 8 Dec 2009 15:31:40 -0800 (PST), Jacob Bellamy <toarms at gmail.com
> >
> wrote:
>>
>> You are right Trevor that it might not be any problem with the
>> libraries
>> and
>> extensions themselves, but in my own experience trying to use HTTPS
> OpenIDs
>> with either of the wordpress or mediawiki extensions does not work
>> out of
>> the box. There could be some additional tweaking or configuring
>> required
> to
>> make it do so.
>
> A common problem is that PHP isn't compiled with SSL support.
>
> Other times it's compiled as an extension that needs to be explicitly
> enabled in your php.ini.
>
> Try running examples/detect.php in the php-openid library and see if
> it
> works. (http://openidenabled.com/php-openid/) I know for a fact that
> library supports HTTPS, and that's what the MediaWiki plugin relies
> on.
>
> --
> Trevor Johns
> http://tjohns.net
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
More information about the security
mailing list