fedora hosted, sharding and openid

[Till Maas]

On Wed, Feb 13, 2013 at 11:18:27PM +0100, Patrick Uiterwijk wrote:
> On Wed, Feb 13, 2013 at 10:58 PM, Till Maas <opensource at till.name> wrote:
> 
> > On Wed, Feb 13, 2013 at 01:52:15AM -0500, Seth Vidal wrote:
> >
> > > For the rest we make them non-ssl'd. The openid login, of course
> > > would be ssl'd, but the rest of the site doesn't really need to be,
> > > does it?
> >
> > I guess if fedorahosted is not used via HTTPS, attackers could easily
> > make users not use HTTPS for the openid login by tampering the response
> > from fedorahosted.
> 
> The only way an attacker could make users not use HTTPS would be by sending
> them to another OpenID provider, which the authopenid plugin, and thus
> trac, then won't allow (it will only allow FAS-OpenID).
> It would be  possible to launch a phishing attack indeed, but that can
> happen with any website, and that is already limited because with OpenID,
> the user can check the URL in the address bar, as there will be only one
> domain (id.fedoraproject.org) that will ask for username/password, instead
> of many.

Actually it is admin.fedoraprojet.org that will ask for the password. I
assumed that if username.id.fedoraproject.org is used as OpenID ID,
there would be some plain HTTP request from the user's browser to
username.id.fedoraproject.org, but this does not seem to be the case
(anymore?). Nevertheless, at least trac will probably not connect via
HTTPS to username.id.fedoraproject.org, because the certificate for that
host name is not valid. Nevertheless, an attack might not be that likely
for that as as MITM attacks near a user's client are.

Regards
Till