Your link to the OpenID best practices is wrong. :) I suspect you meant http://wiki.openid.net/OpenID-Security-Best-Practices
And anything short of what would satisfy the RequireSsl<http://wiki.openid.net/RequireSsl-Profile?SearchFor=requiressl&sp=1>profile opens the user up to identity spoofing via a DNS-poisoning attack. The entire discovery and authentication phase must be done over HTTPS to be a secure login experience. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Tue, Dec 8, 2009 at 2:48 PM, Jacob Bellamy <[email protected]> wrote: > > Looking at the OpenID best practices > (http://test-id.org/RP/IgnoresContentLocationHeader.aspx) , I see one part > of interest: > OpenID Providers are highly recommended to issue HTTPS Identifiers to their > users. > > In practice however it looks as though most OpenID providers do not do > this. > Even Verisign's OpenID are prefixed by HTTP. > > I've recently taken an interest in OpenID and set up my own OpenID > provider > using Atlassian's Crowd, and I have set it up so that both HTTP and HTTPS > OpenIDs are available. In the case with the HTTP OpenIDs, I have the login > page covered by SSL, but the rest is HTTP. The HTTPS OpenIDs are more > ideal, > but I have encountered a rather large number of sites which simply do not > seem to accept them. For instance, none of the mediawiki sites using the > OpenID extension listed http://www.mediawiki.org/wiki/OpenID seem to > accept > them, and neither does my locally hosted Wordpress page with their OpenID > plugin. Both seem to be using the OpenIDEnabled php library, so it might be > an issue with that. > > So, as far as I can tell there are three main approaches- > 1. Use HTTP based OpenIDs and perform SSL for the login. > 2. Use an HTTP based OpenIDs which delegates the authentication to the > HTTPs > version > 3. Use an HTTPS based OpenID. > > Feel free to pipe in with any other alternatives that you can think of. > So my question is what do you gain/lose with each option? Is 2 any less > secure than 3? Do you lose much by only performing SSL on the login? > -- > View this message in context: > http://old.nabble.com/HTTP-vs-HTTPS-based-OpenIDs-tp26685482p26685482.html > Sent from the OpenID - Security mailing list archive at Nabble.com. > > _______________________________________________ > security mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-security >
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
