Opened 8 years ago

Last modified 20 months ago

#4595 new defect

OpenID breakage (Assembla/Google, Identi.ca, other sites?)

Reported by: pde Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords: httpse-ruleset-bug
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We've had a couple of recent reports of breakage of OpenID deployments.

An unresolved one:

https://mail1.eff.org/pipermail/https-everywhere-rules/2011-November/000789.html

And a possibly worked-around one:

https://mail1.eff.org/pipermail/https-everywhere-rules/2011-November/000789.html

Child Tickets

TicketStatusOwnerSummaryComponent
#5306closedpdeMyOpenId rule breaks OpenId loginsHTTPS Everywhere/EFF-HTTPS Everywhere

Change History (9)

comment:1 Changed 8 years ago by pde

I speculate that there may be a problem in which OpenID implementations hash URLs, and these change when an s is added to the scheme. However this is pure speculation, I don't know much about OpenID yet.

comment:3 Changed 7 years ago by cypherpunks

Here is a specific example of new MyOpenID breakage with latest 2.0.1 release:

Go to Toodledo.com, select login, then login using OpenID, on next screen enter a MyOpenID.com user name (make one up like xyz.MyOpenID.com or create one for yourself) & submit. You will receive a "Bad Redirect" error message at MyOpenID.com. Disabling the MyOpenID.com rule allows the login to work properly again. As I said, this just broke with the latest HTTPS Everywhere update!

If you need to contact me for clarification/screenshots/whatever, you can do so at SESmith2112 /*at*/ gmail dawt com.

comment:4 Changed 7 years ago by cypherpunks

I confirm this issue.

comment:5 Changed 7 years ago by mikeperry

Keywords: httpse-ruleset-bug added

Might actually be a deeper issue than a simple ruleset change, but tagging anyway just in case.

comment:6 Changed 6 years ago by zarel

I use myopenid.com and sometimes sourceforge.net as a relay to myopenid.com. Both works with toodledo.

User should be warned somehow that they should use the HTTPS scheme when they give their OpenID username.

comment:7 Changed 6 years ago by schoen

Interesting. We probably need the fix (at a recommended-UI or specification level) to come from OpenID, then. How numerous and how independent are the deployed OpenID implementations?

I'll send a note to the OpenID Foundation and see if they can advise us about this.

comment:8 Changed 6 years ago by schoen

The OpenID Foundation asked me to post on their forum, so I posted about the problem here:

https://getsatisfaction.com/openid/topics/openid_and_https_everywhere_url_rewriting

comment:9 Changed 20 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.