[security] Please convince me not to ban SSL (OP's)
Adam Barth
hk9565 at gmail.com
Fri May 8 17:33:18 UTC 2009
On Fri, May 8, 2009 at 8:43 AM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> when I use OpenID on a wireless network in a coffee shop, it's fairly
>> easy for an attacker to interfere with my connection to an HTTP OP,
>
> I'm not too worried about that, I can always just spit out an error message
> instead of redirecting users.
I don't understand what you're suggesting. If you ban both HTTP and
HTTPS OP what's left?
>> but it's much harder for that attacker to interfere with the backend
>> communication between the RP and the server that hosts my URI
>
> This is the area where I'm trying to move past "reasonable security" to
> "maximum security" :)
I think its more helpful to think in terms of a spectrum of threats.
Using HTTPS for the OP but not for the identity URI is more secure
than using HTTP for both and less secure than using HTTPS for both.
> All the security in the world on an OP doesn't do any good at all if the
> attacker can get DNS to say "Oh, that URI is actually over here; and the
> page has new delegation headers, by the way."
Sure, but that requires a more powerful attacker. Banning HTTPS OPs
for HTTP identity URIs hurts security in the coffee shop threat model.
Adam
More information about the security
mailing list