[security] Please convince me not to ban SSL (OP's)

Adam Barth hk9565 at gmail.com
Fri May 8 18:56:51 UTC 2009 

On Fri, May 8, 2009 at 11:42 AM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> I don't understand what you're suggesting.  If you ban both HTTP and
>> HTTPS OP what's left?
>
> I don't want to unconditionally ban HTTPS OP's, just when they're delegated
> to by a non-HTTPS URI.

You're welcome to lock users out of your site, but I suspect this
trade-off doesn't make sense for most RPs.

>> I think its more helpful to think in terms of a spectrum of threats.
>> Using HTTPS for the OP but not for the identity URI is more secure
>> than using HTTP for both and less secure than using HTTPS for both.
>
> But secure against *what*?
>
> What's the attack here? What are we defending against, exactly?

HTTPS OP and HTTPS identity URI -> Global network attacker
HTTPS OP and HTTP identity URI -> Coffee shop attacker
HTTP OP and HTTP identity URI -> Malicious web site operator

> If the OP uses SSL that helps the user, but not us, except indirectly if
> we're worried about the user giving away their credentials to a fake OP (in
> the coffee shop model, as you said),

It's an ecosystem.  Helping the user helps the RP.

> and if their URI *doesn't* use SSL then
> the user has an illusion of security, one which may be reinforced by their
> OP.

You're making fairly specific assumptions about what the user does and
doesn't understand about security.  Without a user study, we have no
way of knowing whether these assumptions are accurate.

You're also ignoring the anti-phishing benefits of OPs that use
extended validation certificates.  Against the phishing attacker, an
HTTPS-EV OP and an HTTP identity URL is useful for security.

> If the user is being reassured by their OP that they are "secure" because
> that OP uses SSL, then the user has a false sense of security. If the user
> has an HTTP URI and a HTTP OP, they probably understand the risks and are
> willing to take them.

You haven't offered any justification for these very specific
assumptions.  I bet they won't hold that widely if you tested them on
real users.

Adam

More information about the security mailing list