fedora hosted, sharding and openid
Patrick Uiterwijk
puiterwijk at gmail.com
Wed Feb 13 22:18:27 UTC 2013
On Wed, Feb 13, 2013 at 10:58 PM, Till Maas <opensource at till.name> wrote:
> On Wed, Feb 13, 2013 at 01:52:15AM -0500, Seth Vidal wrote:
>
> > For the rest we make them non-ssl'd. The openid login, of course
> > would be ssl'd, but the rest of the site doesn't really need to be,
> > does it?
>
> I guess if fedorahosted is not used via HTTPS, attackers could easily
> make users not use HTTPS for the openid login by tampering the response
> from fedorahosted.
The only way an attacker could make users not use HTTPS would be by sending
them to another OpenID provider, which the authopenid plugin, and thus
trac, then won't allow (it will only allow FAS-OpenID).
It would be possible to launch a phishing attack indeed, but that can
happen with any website, and that is already limited because with OpenID,
the user can check the URL in the address bar, as there will be only one
domain (id.fedoraproject.org) that will ask for username/password, instead
of many.
> Also there is probably a session cookie involved that
> is validated via openid, this could still be used by attackers to access
> fedorahosted with the privileges of the original user.
>
There is no session cookie validated by OpenID: the OpenID server provides
a signed response to the relying party (hosted in this case), which the
relying party checks with the provider itself without the user's (or
attacker's) control.
Stealing a cookie would still be possible indeed, but that's also not
induced by the use of OpenID, just (again) because the cookie is sent in
the clear.
>
> Regards
> Till
I hope this clears it up, and if it doesn't, you can always ping me on IRC
or email.
Yours sincerely,
Patrick Uiterwijk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130213/51163b61/attachment.html>
More information about the infrastructure
mailing list