Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
A site that uses username/password for users to log in obviously needs that login process to run over https. Does the same apply when only using OpenID, or is the provider using https enough to ensure security?
Everything still must be HTTPS to be secure. Otherwise an attacker can intercept the OpenID string the user provides and replace it with their own malicious OpenID server. That would be bad, and trick all but the most savvy users into entering their password into the wrong server.
They could even replace your referral to the client with one to the real OpenID server, and let the client (ineffectually) log in before returning to your site… If they do this, they don’t get to steal the user’s password, but they still get to have a backdoor into their account.
Perhaps more importantly, if you’re not using HTTPS, the session cookies you send aren’t secure. So an attacker can just wait until a user is logged in, and then steal their session.