Your link to the OpenID best practices is wrong. :) I suspect you meant <a href="http://wiki.openid.net/OpenID-Security-Best-Practices">http://wiki.openid.net/OpenID-Security-Best-Practices</a><div><br></div><div>And anything short of what would satisfy the <a href="http://wiki.openid.net/RequireSsl-Profile?SearchFor=requiressl&sp=1">RequireSsl</a> profile opens the user up to identity spoofing via a DNS-poisoning attack. The entire discovery and authentication phase must be done over HTTPS to be a secure login experience.</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Tue, Dec 8, 2009 at 2:48 PM, Jacob Bellamy <span dir="ltr"><<a href="mailto:toarms@gmail.com">toarms@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Looking at the OpenID best practices<br>
(<a href="http://test-id.org/RP/IgnoresContentLocationHeader.aspx" target="_blank">http://test-id.org/RP/IgnoresContentLocationHeader.aspx</a>) , I see one part<br>
of interest:<br>
OpenID Providers are highly recommended to issue HTTPS Identifiers to their<br>
users.<br>
<br>
In practice however it looks as though most OpenID providers do not do this.<br>
Even Verisign's OpenID are prefixed by HTTP.<br>
<br>
I've recently taken an interest in OpenID and set up my own OpenID provider<br>
using Atlassian's Crowd, and I have set it up so that both HTTP and HTTPS<br>
OpenIDs are available. In the case with the HTTP OpenIDs, I have the login<br>
page covered by SSL, but the rest is HTTP. The HTTPS OpenIDs are more ideal,<br>
but I have encountered a rather large number of sites which simply do not<br>
seem to accept them. For instance, none of the mediawiki sites using the<br>
OpenID extension listed <a href="http://www.mediawiki.org/wiki/OpenID" target="_blank">http://www.mediawiki.org/wiki/OpenID</a> seem to accept<br>
them, and neither does my locally hosted Wordpress page with their OpenID<br>
plugin. Both seem to be using the OpenIDEnabled php library, so it might be<br>
an issue with that.<br>
<br>
So, as far as I can tell there are three main approaches-<br>
1. Use HTTP based OpenIDs and perform SSL for the login.<br>
2. Use an HTTP based OpenIDs which delegates the authentication to the HTTPs<br>
version<br>
3. Use an HTTPS based OpenID.<br>
<br>
Feel free to pipe in with any other alternatives that you can think of.<br>
So my question is what do you gain/lose with each option? Is 2 any less<br>
secure than 3? Do you lose much by only performing SSL on the login?<br>
<font color="#888888">--<br>
View this message in context: <a href="http://old.nabble.com/HTTP-vs-HTTPS-based-OpenIDs-tp26685482p26685482.html" target="_blank">http://old.nabble.com/HTTP-vs-HTTPS-based-OpenIDs-tp26685482p26685482.html</a><br>
Sent from the OpenID - Security mailing list archive at Nabble.com.<br>
<br>
_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@lists.openid.net">security@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
</font></blockquote></div><br></div>