Skip to content.

TalkBMC

Sections
You are here: Home » Blogs » Jeff Bohren » The Identity Management Expert » Black Hats on OpenID

Black Hats on OpenID Black Hats on OpenID

Document Actions
Black Hats on OpenID
From Bob Blakely, a pointer (via Pemela Dingle) to this article on OpenID that was given at the last Black Hat security conference. There are some very interesting points made on OpenID security.

Some takeaways from the article:
  • An OpenID provider knows all the sites you authenticate to. From a privacy standpoint, I am not personally OK with that. Others will have different pain thresholds on this.
  • OpenID is vulnerable to session hijacking if the redirect to from the OpenID provider to the relying party is not done over SSL. This would obviously apply to both the OP and RP. Of course while this is certainly a danger, it is no different than the risk of session hijacking that can happen at any time after authentication, as I discuss here.
  • If the user can be lured to malicious site, a cross site request forgery attack can be used. The attacker could try to guess other sites that the user might have OpenID enabled and count on the fact that the by authenticating to the malicious site, the user now has a current session at the OpenID provider. If OpenID ever reaches widespread adoption for sensitive applications (i.e. the kinds that attack hackers), this kinds of attack will be very likely.


_____
tags:
Tuesday, August 21, 2007  |  Permalink |  Comments (3)

On Privacy & Attention

Posted by Tara Kelly (PassPack) at 2007-08-22 16:01
That a single OpenID provider has a list of all (OpenID enabled sites) you connect to... well it brings to mind this article:

http://www.readwriteweb.com/archives/attention_economy_overview.php

Happy reading, thats a long one.
Cheers,
Tara

Strong Auth to OpenId IDPs

Posted by Dave at IronKey at 2007-08-24 03:40
As CEO of IronKey, and Chairman of the Anti-Phishing Working Group (http://www.antiphishing.org), I am glad to see a discussion of the security vulnerabilities of OpenID. Frankly, without strong 2-factor authentication, centralized password management or OpenID IDPs is just too risky. As the author points out, phishing has not been solve (and I don't think it ever will be "solved").

If your login credentials to your IDP are compromised, it's game over for your identity on the Internet. The same is true of Liberty Alliance or any federated identity system.
Jeff Bohren

Subscribe to Jeff's blog Subscribe to Jeff's blog

Bio

View blog authority

Email Alert: Jeff's Blog

Get an email alert when I publish a new blog! Enter your email address:

The Identity Management Expert
« July 2009 »
Su Mo Tu We Th Fr Sa
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
 
Powered by Plone

This site conforms to the following standards: