<div class="gmail_quote">On Tue, Jun 8, 2010 at 4:05 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div class="im">
<div>>(2) If an eavesdropper can listen in on all your network
traffic, can't they see your HTTP requests to IdP and RP (and
everything else) directly?</div>
<div><br></div>
</div><div>Even setting aside the IP address versus sniffing request strings
versus sniffing responses too, you've blanked out here on the idea of
"Assume that ALL requests are protected with SSL" - it's one
thing to be blind to anything which would contradict your favored
belief, but when it starts to affect your logical faculty in other
areas, you seriously need to take a step back and detach.</div></div></blockquote><div><br></div><div>I think I must be misunderstanding what you said, then. You said:</div><div><br></div><div>"<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; ">Assume that ALL requests are protected with SSL, so that the contents of communications cannot be spied upon. An eavesdropper can STILL figure out when a user is logging in with OpenID (and, with attention to timing, WHICH sites they are logged in to!) by looking for requests to the IP address of the central server."</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; ">Given that all requests are protected by SSL but you can eavesdrop, you have the IP addresses, the timestamps, and some notion of the size of all the requests. This applies both to traffic to <a href="http://xauth.org">xauth.org</a> and to all other servers, or at least that was my assumption ("If an eavesdropper can listen in on all your network traffic..."). So you already know the IP addresses and timestamps of TCP connections to all of the servers the victim is talking to. Presumably you also have a list of the IP addresses of commonly used IdPs or can figure it out after the fact, so you know when the victim visiting your IdP (or their browser is being redirected). You can probably infer when RPs are doing said redirects and what the RPs are.</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; ">Is this the scenario you're envisioning? If so, I'm having trouble seeing how some additional once-per-year cache revalidation requests to <a href="http://xauth.org">xauth.org</a>'s IP would change the amount of information leakage in any appreciable way. Otherwise, could you please give some more details about the attack you're proposing?</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; "><br></span></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; ">Thanks,</span></div>
<div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 12.5px; border-collapse: collapse; ">John</span></div><div><font class="Apple-style-span" face="arial, sans-serif" size="7"><span class="Apple-style-span" style="border-collapse: collapse; font-size: 26px;"><br>
</span></font></div></div>