Re: fedora hosted, sharding and openid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 13, 2013 at 10:58 PM, Till Maas <opensource@xxxxxxxxx> wrote:
On Wed, Feb 13, 2013 at 01:52:15AM -0500, Seth Vidal wrote:

> For the rest we make them non-ssl'd. The openid login, of course
> would be ssl'd, but the rest of the site doesn't really need to be,
> does it?

I guess if fedorahosted is not used via HTTPS, attackers could easily
make users not use HTTPS for the openid login by tampering the response
from fedorahosted.
The only way an attacker could make users not use HTTPS would be by sending them to another OpenID provider, which the authopenid plugin, and thus trac, then won't allow (it will only allow FAS-OpenID).
It would be  possible to launch a phishing attack indeed, but that can happen with any website, and that is already limited because with OpenID, the user can check the URL in the address bar, as there will be only one domain (id.fedoraproject.org) that will ask for username/password, instead of many.
 
Also there is probably a session cookie involved that
is validated via openid, this could still be used by attackers to access
fedorahosted with the privileges of the original user.
There is no session cookie validated by OpenID: the OpenID server provides a signed response to the relying party (hosted in this case), which the relying party checks with the provider itself without the user's (or attacker's) control.
Stealing a cookie would still be possible indeed, but that's also not induced by the use of OpenID, just (again) because the cookie is sent in the clear.

Regards
Till

I hope this clears it up, and if it doesn't, you can always ping me on IRC or email.

Yours sincerely,
Patrick Uiterwijk
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux