[security] Please convince me not to ban SSL (OP's)

[SitG Admin]

>I don't understand what you're suggesting.  If you ban both HTTP and
>HTTPS OP what's left?

I don't want to unconditionally ban HTTPS OP's, just when they're 
delegated to by a non-HTTPS URI.

>I think its more helpful to think in terms of a spectrum of threats.
>Using HTTPS for the OP but not for the identity URI is more secure
>than using HTTP for both and less secure than using HTTPS for both.

But secure against *what*?

What's the attack here? What are we defending against, exactly?

If the OP uses SSL that helps the user, but not us, except indirectly 
if we're worried about the user giving away their credentials to a 
fake OP (in the coffee shop model, as you said), and if their URI 
*doesn't* use SSL then the user has an illusion of security, one 
which may be reinforced by their OP.

If you store data at my site (even inadvertently, indirectly, through 
the ACL that reveals which pages *I* thought you would have an 
interest in), data which is later retrievable by you, it is also 
retrievable by anyone who can *convince* me that they are you - and 
this attack does not care one whit whether your OP is using SSL or 
not, since your OP will never be involved.

The user is concerned with attackers being able to spoof their 
Identity at *any* site, by stealing the credentials they use at their 
OP; the user *might* care little whether attackers can spoof their 
Identity at a specific RP, but if they store any personal data there 
they should care greatly!

If the user is being reassured by their OP that they are "secure" 
because that OP uses SSL, then the user has a false sense of 
security. If the user has an HTTP URI and a HTTP OP, they probably 
understand the risks and are willing to take them. I can always 
assign an explanation to their ACL (even make the page default on 
first login) to make sure.

-Shade toys with the idea of caching IP addresses for OP's, then 
throwing a fit if it suddenly doesn't match up