On Wed, Feb 13, 2013 at 10:58 PM, Till Maas <opensource@xxxxxxxxx> wrote:
On Wed, Feb 13, 2013 at 01:52:15AM -0500, Seth Vidal wrote:I guess if fedorahosted is not used via HTTPS, attackers could easily
> For the rest we make them non-ssl'd. The openid login, of course
> would be ssl'd, but the rest of the site doesn't really need to be,
> does it?
make users not use HTTPS for the openid login by tampering the response
from fedorahosted.
The only way an attacker could make users not use HTTPS would be by
sending them to another OpenID provider, which the authopenid plugin,
and thus trac, then won't allow (it will only allow FAS-OpenID).
It
would be possible to launch a phishing attack indeed, but that can
happen with any website, and that is already limited because with
OpenID, the user can check the URL in the address bar, as there will be
only one domain (id.fedoraproject.org) that will ask for
username/password, instead of many.Also there is probably a session cookie involved that
is validated via openid, this could still be used by attackers to access
fedorahosted with the privileges of the original user.
There is no session cookie validated by OpenID: the OpenID server
provides a signed response to the relying party (hosted in this case),
which the relying party checks with the provider itself without the
user's (or attacker's) control.
Stealing a cookie would still be possible indeed, but that's also not induced by the use of OpenID, just (again) because the cookie is sent in the clear.
Stealing a cookie would still be possible indeed, but that's also not induced by the use of OpenID, just (again) because the cookie is sent in the clear.
Regards
Till
I hope this clears it up, and if it doesn't, you can always ping me on IRC or email.
Yours sincerely,
Patrick Uiterwijk
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
