that ess in 'https'

Martin Atkins mart at degeneration.co.uk
Tue Jun 27 18:34:08 UTC 2006


David Strauss wrote:
> 
>>But if HTTP and HTTPS URLs are equivilent, surely I can just spoof the
>>HTTP version of your HTTPS URL and defeat the object entirely!
> 
> 
> No. Not if the RP either checks for the https page first or remembers
> that a particular OpenID supports https identity pages and refuses to
> fall back to http after one successful https identity page download.
> Some RPs may choose to only allow https mode identities. It shouldn't
> ever be the user's concern which scheme is being used. It should be the
> RP's. We just need some standards so RPs can consistently implement the
> varying level of security without user concern.
> 

What's the argument against requiring OpenID relying parties to support 
SSL anyway? Most HTTP libraries will quite happily do SSL out of the 
box, and you can just neglect to validate the certificate if you don't 
care about security.

I think my favourite solution right now is to require relying parties to 
support SSL and then use the existing "canonicalization through 
redirection" feature of OpenID to solve this problem. The problem that 
doesn't address is where an identity provider starts off on cleartext 
and migrates to SSL, which admittedly I don't have a good answer to.

I think the main thing that's bothering me about this assumption that 
HTTPS and HTTP are the same is that it's making some arbitrary decision 
that we can trust these URLs as the same as long as the hostname and 
path are the same, regardless of scheme. If we're going to do that, can 
we also trust that (say) <http://mydomain.com/me/> and 
<http://mydomain.com/metoo/> are run by the same person? What about 
<http://mydomain.com/me/> and <http://mydomain.com/me/again/>? 
<http://me.mydomain.com/> and <http://you.mydomain.com/>?

The assumption seems to be assuming that so long as the hostname matches 
the two URLs trust each other, which is probably true in a lot of cases. 
However, technically the difference between <http://mydomain.com/> and 
<https://mydomain.com/> is the same as the difference between 
<http://something.mydomain.com> and <http://somethingelse.mydomain.com/> 
as far as the HTTP protocol is concerned, so if we allow one why do we 
not allow both?



More information about the yadis mailing list