On Fri, May 8, 2009 at 11:42 AM, SitG Admin <[email protected]> wrote: >> I don't understand what you're suggesting. If you ban both HTTP and >> HTTPS OP what's left? > > I don't want to unconditionally ban HTTPS OP's, just when they're delegated > to by a non-HTTPS URI.
You're welcome to lock users out of your site, but I suspect this trade-off doesn't make sense for most RPs. >> I think its more helpful to think in terms of a spectrum of threats. >> Using HTTPS for the OP but not for the identity URI is more secure >> than using HTTP for both and less secure than using HTTPS for both. > > But secure against *what*? > > What's the attack here? What are we defending against, exactly? HTTPS OP and HTTPS identity URI -> Global network attacker HTTPS OP and HTTP identity URI -> Coffee shop attacker HTTP OP and HTTP identity URI -> Malicious web site operator > If the OP uses SSL that helps the user, but not us, except indirectly if > we're worried about the user giving away their credentials to a fake OP (in > the coffee shop model, as you said), It's an ecosystem. Helping the user helps the RP. > and if their URI *doesn't* use SSL then > the user has an illusion of security, one which may be reinforced by their > OP. You're making fairly specific assumptions about what the user does and doesn't understand about security. Without a user study, we have no way of knowing whether these assumptions are accurate. You're also ignoring the anti-phishing benefits of OPs that use extended validation certificates. Against the phishing attacker, an HTTPS-EV OP and an HTTP identity URL is useful for security. > If the user is being reassured by their OP that they are "secure" because > that OP uses SSL, then the user has a false sense of security. If the user > has an HTTP URI and a HTTP OP, they probably understand the risks and are > willing to take them. You haven't offered any justification for these very specific assumptions. I bet they won't hold that widely if you tested them on real users. Adam _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
