<div dir="ltr"><div class="gmail_quote"><div>On Wed, Feb 13, 2013 at 10:58 PM, Till Maas <span dir="ltr"><<a href="mailto:opensource@till.name" target="_blank">opensource@till.name</a>></span> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im">On Wed, Feb 13, 2013 at 01:52:15AM -0500, Seth Vidal wrote:<br>
<br>
> For the rest we make them non-ssl'd. The openid login, of course<br>
> would be ssl'd, but the rest of the site doesn't really need to be,<br>
> does it?<br>
<br>
</div>I guess if fedorahosted is not used via HTTPS, attackers could easily<br>
make users not use HTTPS for the openid login by tampering the response<br>
from fedorahosted. </blockquote><div><div>The only way an attacker could make users not use HTTPS would be by
sending them to another OpenID provider, which the authopenid plugin,
and thus trac, then won't allow (it will only allow FAS-OpenID).<br></div>It
would be possible to launch a phishing attack indeed, but that can
happen with any website, and that is already limited because with
OpenID, the user can check the URL in the address bar, as there will be
only one domain (<a href="http://id.fedoraproject.org">id.fedoraproject.org</a>) that will ask for
username/password, instead of many.<br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Also there is probably a session cookie involved that<br>
is validated via openid, this could still be used by attackers to access<br>
fedorahosted with the privileges of the original user.<br></blockquote><div>There is no session cookie validated by OpenID: the OpenID server
provides a signed response to the relying party (hosted in this case),
which the relying party checks with the provider itself without the
user's (or attacker's) control.<br>Stealing a cookie would still
be possible indeed, but that's also not induced by the use of OpenID,
just (again) because the cookie is sent in the clear. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Regards<br>
<span class=""><font color="#888888">Till</font></span></blockquote></div><div class="gmail_extra"><br></div><div class="gmail_extra">I hope this clears it up, and if it doesn't, you can always ping me on IRC or email.<br>
<br></div><div class="gmail_extra">Yours sincerely,<br></div><div class="gmail_extra">Patrick Uiterwijk<br></div></div>