that ess in 'https'
Martin Atkins
mart at degeneration.co.uk
Tue Jun 27 18:34:08 UTC 2006
David Strauss wrote:
>
>>But if HTTP and HTTPS URLs are equivilent, surely I can just spoof the
>>HTTP version of your HTTPS URL and defeat the object entirely!
>
>
> No. Not if the RP either checks for the https page first or remembers
> that a particular OpenID supports https identity pages and refuses to
> fall back to http after one successful https identity page download.
> Some RPs may choose to only allow https mode identities. It shouldn't
> ever be the user's concern which scheme is being used. It should be the
> RP's. We just need some standards so RPs can consistently implement the
> varying level of security without user concern.
>
What's the argument against requiring OpenID relying parties to support
SSL anyway? Most HTTP libraries will quite happily do SSL out of the
box, and you can just neglect to validate the certificate if you don't
care about security.
I think my favourite solution right now is to require relying parties to
support SSL and then use the existing "canonicalization through
redirection" feature of OpenID to solve this problem. The problem that
doesn't address is where an identity provider starts off on cleartext
and migrates to SSL, which admittedly I don't have a good answer to.
I think the main thing that's bothering me about this assumption that
HTTPS and HTTP are the same is that it's making some arbitrary decision
that we can trust these URLs as the same as long as the hostname and
path are the same, regardless of scheme. If we're going to do that, can
we also trust that (say) <http://mydomain.com/me/> and
<http://mydomain.com/metoo/> are run by the same person? What about
<http://mydomain.com/me/> and <http://mydomain.com/me/again/>?
<http://me.mydomain.com/> and <http://you.mydomain.com/>?
The assumption seems to be assuming that so long as the hostname matches
the two URLs trust each other, which is probably true in a lot of cases.
However, technically the difference between <http://mydomain.com/> and
<https://mydomain.com/> is the same as the difference between
<http://something.mydomain.com> and <http://somethingelse.mydomain.com/>
as far as the HTTP protocol is concerned, so if we allow one why do we
not allow both?
More information about the yadis
mailing list