On Fri, May 8, 2009 at 8:43 AM, SitG Admin <[email protected]> wrote: >> when I use OpenID on a wireless network in a coffee shop, it's fairly >> easy for an attacker to interfere with my connection to an HTTP OP, > > I'm not too worried about that, I can always just spit out an error message > instead of redirecting users.
I don't understand what you're suggesting. If you ban both HTTP and HTTPS OP what's left? >> but it's much harder for that attacker to interfere with the backend >> communication between the RP and the server that hosts my URI > > This is the area where I'm trying to move past "reasonable security" to > "maximum security" :) I think its more helpful to think in terms of a spectrum of threats. Using HTTPS for the OP but not for the identity URI is more secure than using HTTP for both and less secure than using HTTPS for both. > All the security in the world on an OP doesn't do any good at all if the > attacker can get DNS to say "Oh, that URI is actually over here; and the > page has new delegation headers, by the way." Sure, but that requires a more powerful attacker. Banning HTTPS OPs for HTTP identity URIs hurts security in the coffee shop threat model. Adam _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
