[security] Please convince me not to ban SSL (OP's)

Adam Barth hk9565 at gmail.com
Fri May 8 06:49:43 UTC 2009 

One thing you might consider is that the network attacker might be
able to compromise some network links but not others.  For example,
when I use OpenID on a wireless network in a coffee shop, it's fairly
easy for an attacker to interfere with my connection to an HTTP OP,
but it's much harder for that attacker to interfere with the backend
communication between the RP and the server that hosts my URI
identity.

Adam


On Thu, May 7, 2009 at 9:27 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
> I've been trying to go from "reasonable security" to "maximum security", and
> it's driving me up the proverbial wall. Spoofing (of DNS), where SSL is
> absent, has two forms that I can see: one is to spoof the OP client-side,
> and that much can I can at least hold users responsible for - they need to
> look for that lock icon, and respond cautiously to bad certs. But it's
> *RP*-side that gets more complicated, if the URI itself is not served over
> SSL, because if the *server* gets fooled it will happily allow the "user" to
> authenticate with a new OP that has a perfectly valid and legitimate cert.
> So, while I'm not worried about a user giving away the credentials with
> their OP to an attacker, I *am* worried about an attacker posing as the user
> and tricking my server into accepting that claim.
>
> If the URI doesn't have SSL, it seems somewhat less than useless to put
> effort into supporting SSL for OP's. If the attacker is going to go to all
> the trouble of spoofing my server to pretend to be an OP, they might as well
> do it for the URI, in which case SSL won't help.
>
> Apart from the niche case of an OP forgetting to renew their domain and
> someone else promptly putting it to bad use, I can imagine someone breaking
> into the OP's account with a registrar and redirecting traffic; this would
> limit the attacker's ability to compromise DNS to that single domain. This
> seems to be a strong argument for using SSL on OP's, but I still find myself
> unconvinced. If I'm missing something, please let me know.
>
> -Shade
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>

More information about the security mailing list