Issue94

Title Only allow OpenID over HTTPS requests
Priority critical Status wont-fix
Project CC Network Milestone
Superseder Nosy List jedoig, nyergler
Assigned To jedoig Keywords comemotate

Created on 2008-12-05.17:05:17 by nyergler, last changed 2010-10-04.00:24:02 by nyergler.

Messages
msg2033 (view) Author: nyergler Date: 2010-08-06.23:20:42
John, how will Open ID URLs that are http:// be handled under Drupal?
msg1110 (view) Author: jedoig Date: 2009-05-20.17:01:15
This work is now contained in the openid-https-redirects branch.  I've also
cleaned up the commoner repo with saner branch names and removing the erroneous
branches that I created in my early git experiences.

I have this working locally, running with mod_wsgi.  However I am still working
to configure it correctly on the staging server.
msg630 (view) Author: jedoig Date: 2009-03-31.18:06:58
Added some tests to our new redirection middleware.
msg536 (view) Author: jedoig Date: 2009-03-16.19:09:45
Added a variable to the settings file to signal Django when the requests are
from the test runner.  TESTING is set to true if "test" appears in the argv, if
this is TRUE then the SSLMiddleware will raise an exception at initiation and
Django will ignore this middleware class.
msg522 (view) Author: jedoig Date: 2009-03-16.16:16:33
Blast

The middleware class is going to disrupt any test case that is NOT expecting a
redirect.

I'm exploring some solutions right now.
msg484 (view) Author: jedoig Date: 2009-03-12.21:23:49
I added a middleware class called SSLMiddleWare that enables the redirects to
https.  Any request to http is handled by this class and the appropriate course
of action is taken.

* If the user is an existing one AND they're attempting to use an identifier on
HTTP, then the page is redirected to HTTPS, and the users profile page is
displayed without the OpenID header information and a short message explaining why.

* New users will be presented with a 403 error and a short message notifying the
user to use https instead

* Per our discussion, I am using a session variable to notify the view that a
redirect has occurred.  This variable needs to be removed after the page is
rendered so that it does not persist across future requests.  I was trying to
accomplish this in a process_response, but was unable to get this working
properly.  Instead, I just put it in the view function for the view_profile
while I continue to work on it in the middleware.

* I still need to write a dmigration script for the new model field in
profiles.models.CommonerProfile
msg136 (view) Author: nyergler Date: 2008-12-05.17:05:16
creativecommons.net currently only serves pages over HTTPS; any request coming
in over HTTP is redirected by Apache to HTTPS.  Unfortunately this opens a
possible vulnerability: in the event that our DNS is compromised, users who have
used http://creativecommons.net/foo as their OpenID will be vulnerable.

Requirements:

* Existing users may continue to use HTTP (redirected to HTTPS) as their OpenID.
 When an existing [legacy] user views their profile, they will see a warning at
the top instructing them to use HTTPS for OpenID, possibly linked to a more
detailed discussion page.
* New users will only be able to use HTTPS (with no redirect) for OpenID logins.
* We'll need to send an email to all existing users notifying them of the change
and suggesting they only use HTTPS for their OpenID logins.

Discussion:

* This will require a schema change for
commoner.profiles.models.CommonerProfile; redirect_https bool
* We will probably want to start passing all requests -- HTTP and HTTPS into
Django.  
* Requests coming into commoner.profiles.views.view will be checked: if
profile.redirect_https == True and the request was not made over HTTPS, the view
will return a redirect.
* When rendering the profile, if the request is made over HTTP, no OpenID header
information will be included
* We don't currently have an "email all users" facility but it should be trivial
to build.
History
Date User Action Args
2010-10-04 00:24:02nyerglersetstatus: chatting -> wont-fix
2010-08-06 23:20:42nyerglersetmessages: + msg2033
2009-05-20 17:01:15jedoigsetmessages: + msg1110
2009-05-13 17:36:25jedoigsetkeyword: + comemotate
2009-03-31 18:06:58jedoigsetmessages: + msg630
2009-03-16 19:09:45jedoigsetmessages: + msg536
2009-03-16 16:16:33jedoigsetmessages: + msg522
2009-03-12 21:23:49jedoigsetstatus: unread -> chatting
messages: + msg484
2009-03-05 19:50:49nyerglersetassignedto: nyergler -> jedoig
nosy: + jedoig
2008-12-05 17:05:17nyerglercreate