[security] Please convince me not to ban SSL (OP's)
SitG Admin
sysadmin at shadowsinthegarden.com
Fri May 8 15:43:34 UTC 2009
>when I use OpenID on a wireless network in a coffee shop, it's fairly
>easy for an attacker to interfere with my connection to an HTTP OP,
I'm not too worried about that, I can always just spit out an error
message instead of redirecting users.
>but it's much harder for that attacker to interfere with the backend
>communication between the RP and the server that hosts my URI
This is the area where I'm trying to move past "reasonable security"
to "maximum security" :)
All the security in the world on an OP doesn't do any good at all if
the attacker can get DNS to say "Oh, that URI is actually over here;
and the page has new delegation headers, by the way."
(To clarify, I'm fine with URI's that have SSL delegating to OP's
that also have SSL, since SSL-all-the-way wouldn't be vulnerable to
the same attack here - it's when users insist on an unprotected URI
that I'd want to insist upon warning them rather than blithely
accepting *and validating* their illusions of security. This does
disturb me, though, because of how it generally restricts URI's to
personal domains and dedicated IDP's that can afford SSL for pages -
I went to a Geocities homepage and went to https, no response.)
-Shade
More information about the security
mailing list