A site that uses username/password for users to log in obviously needs that login process to run over https. Does the same apply when only using OpenID, or is the provider using https enough to ensure security?
+1
A:
Everything still must be HTTPS to be secure. Otherwise an attacker can intercept the OpenID string the user provides and replace it with their own malicious OpenID server. That would be bad, and trick all but the most savvy users into entering their password into the wrong server.
They could even replace your referral to the client with one to the real OpenID server, and let the client (ineffectually) log in before returning to your site... If they do this, they don't get to steal the user's password, but they still get to have a backdoor into their account.
Perhaps more importantly, if you're not using HTTPS, the session cookies you send aren't secure. So an attacker can just wait until a user is logged in, and then steal their session.
Borealid
2010-08-21 04:15:13