MeatballWiki | RecentChanges | Random Page | Indices | Categories


From the website:

OpenID is an open, decentralized, free framework for user-centric digital identity.

To login to an OpenID-enabled website (even one you've never been to before), just type your OpenID URI. The website will then redirect you to your OpenID Provider to login using whatever credentials it requires. Once authenticated, your OpenID provider will send you back to the website with the necessary credentials to log you in. By using Strong Authentication where needed, the OpenID Framework can be used for all types of transactions, both extending the use of pure single-sign-on as well as the sensitivity of data shared.

Sounds like this work complements WikiPassport.

See also:

OpenID is interesting, but its a pity security between the OpenID identity provider and the user has not been considered, leaving it exploitable by phishing. There have been a few ideas to allow users to customize their login forms on the identity provider, so they more difficult to copy, but most methods seem to require cookies. -- JaredWilliams

Is that any different from any other web app, though? Any website can be phished. -- ChrisPurcell

Its more attractive to phish it, as gaining a user & password means you can login into any web app that supports OpenID as the phished user. -- JaredWilliams

Not as attractive as online banking! -- ChrisPurcell

Hmmm...this is something that I plan on exploring more at http://socialsynergyweb.net/cgi-bin/wiki/OpenidEcomm/HomePage

So far I've seen people talk about

Phishing seems to me to be more of a risk when you are utilizing a third party IdentityProvider?, than when you are, for instance, your own IdentityProvider?, which is fairly easy to do with OpenID. Unless you are saying that people are able to mask their phishing site with your domain, for instance?

I think it could be interesting to really break down the mechanics of Phishing, and other OpenID security problems, and see what can be done about it.

For OpenID ecommerce, a verification system could easily be implemented, to make sure that someone is not masking or some how spoofing an OpenID url. -- SamRose

I'm not certain how a verification system could work. As an attacker I would copy the ecomm store, and host it on a similar domain name. When a customer enters their OpenId? URL, I would redirect them to a my fake copy of their OpenId? provider. If the customer is fooled, they would submit their details.

So the problem is to try and prevent customer from giving their details to the wrong site.

Most openID identity providers allow some sort of customization, like uploading a picture, to make it more difficult for the attacker to copy the openid provider login page accurately. But a recent paper ([The Emperor's New Security Indicators]) states that 92% of people still entered their details even when the picture was missing. -- JaredWilliams

With respect to phishing: I think that the problem there lies with using passwords, not with using OpenID. I started an OpenID identity provider called certifi.ca (https://certifi.ca/ ) that only uses browser SSL certificates for authentication; no passwords are asked for, ever. I hope it's going to be useful for people. --EvanProdromou

Sounds highly decent! How do you handle (a) people using multiple machines, (b) several people sharing a machine, (c) people browsing from untrusted machines (e.g. cybercafe) and (d) users without sufficient privileges on their everyday account to install software (e.g. work machines)? -- ChrisPurcell

I don't! I figure that's up to people to work out for themselves, and up to the browsers. (a) can be done by installing certs on each machine -- either the same cert or different certs which are all attached to the same certifi.ca account. (b) I think is up to the browser or to the OS separating authority. (c) I have no idea about, although these [USB security devices] might work, although I haven't tried them. Mostly, cybercafe accounts are really insecure -- who knows what's installed there? Finally, (d) I don't know if it's a problem, because I think both major browser allow importing or generating certs. If you can't create or install a cert on your work machine, I don't think there's anything to be done. --EvanProdromou

Hmmm, certificates aren't likely to become mainstream in my opinion, people not knowledgable enough to use certificates are exactly the same people that will be more at risk from pishing.

Have seen another OpenID identity provider using certificates, http://www.prooveme.com/ , though they use the browser to generate the certificate (well not all obviously but the public/private pair). Still as Chris points out awkward with multiple machines.

Still waiting for a provider to sell usb tokens with their service. Could have certificates securely stored on it, or possibly a one time password generator. Most device manufacturers seem to be supporting [OATH] (HOTP) open standard now so intergrating into a web site is easy. Actually the apache project has the [triplesec project] which uses HOTP, and provides java ME application to allow phones etc to become OTP tokens. -- JaredWilliams

Evan, that is cool! Interesting idea. Jared, usb token is interesting too. About phishing, it seems that at least some of us agree that the biggest problem with phishing, OpenID or otherwise, is fooling people into typing their info into a fake website tat is made to look like the authentic website. It seems to me, that for people who can be fooled in this way, that browser technology itself can be created to warn them before submitting info.

For instance, if I receive an email sayign that I need to visit ebay right away to update my password, and I click on the link to the form. When I proceed to submit information on a form, a window pops up and asks me "is this ebay" and has ebay's current authentic login machine information to check it against. If it doesn't match up, it warns me "THIS IS NOT EBAY! It is likely someone trying to steal your information!". This could cut down on phishing victims significantly if doen right, IMO -- SamRose

There was a paper on using browser plugin [Passpet] but unfortunately the software seems to be ready yet, [Passpet @ mozdev]. -- JaredWilliams

I've been watching and discussing certificates for a few years...

During this time, I've been wondering why they aren't catching on and I generally concluded that they were complicated enough to require technical support and that there wasn't all that much of a benefit to using them. Suddenly (as of late 2006-12) I find myself using them daily and ...

-- HansWobbe

I just heard that Vidoop ( http://vidoop.com/ ) claims it has new technology based on OpenID that is easier to use and "more secure" than passwords. "Presumably Vidoop will be revealing more of what is behind its curtain at the Web 2.0 Expo in San Francisco on April 17th." -- [Say good-bye to passwords]

Vidoop is about 10 minutes from my place. Are these people that I should go talk to? -- DavidCary

Based on the screencast, while they claim they are defending against KeystrokeLogging?, if you have a keystroke logger installed on your computer, you're just as likely to have a remote desktop. It is not really a large leap to see attackers adapting by taking a screen capture of the Vidoop login sequence. Since the number of categories is small, all an attacker needs is a screen capture and password for one session, and they have a pretty good guess what your password is. On the other hand, there are 16 images, so there are only 120 possibly 2 image pairs for a login. If you have a large database of vidoop accounts, it should be possible to break into 1/40 of them through brute force and random chance (assuming 3 password attempts). I remain sceptical. -- SunirShah


MeatballWiki | RecentChanges | Random Page | Indices | Categories
Edit text of this page | View other revisions