Advertisement
Promo

Security management Toolkit

Story: OpenID at risk due to DNS flaw, warns researcher

  • Previous comment

Posted by: beuchelt (Thursday 14 August 2008, 3:23 PM)

  • Reply

Mitigating the fallout

While there is certainly a non-vanishing risk of some phisher posing as openid.sun.com, we have taken certain steps to make sure that our users are reasonably protected: the weak Debian-generated certificate has been replaced and revoked, and most modern browsers can check the status of certificates using OCSP (all Firefox, on by default in Firefox 3.x; IE 7 and later on Vista). In addition, we published a list of best practices for safer browsing at http://blog.beuchelt.org/2008/08/07/Some+Security+Advice+For+Our+OpenID+Users.aspx
and internally.

Going forward, we are working to migrate our OpenID service to use HTTPS-based OpenIDs exclusively. There are some obvious issues, since http://some.open.id is not the same user as https://some.open.id.

At the end of the day, the OpenID service is a research experiment. Users have been warned that the service should under no circumstances be used for transactions that require any degree of assurance. We are trying to evaluate the operational characteristics of a 'user-centric' IdP.

For a number of reasons, we can so far not recommend OpenID based services for authentication of any high-value transactions. Microsoft and some other have attempted to combine OpenID with the somewhat better security of the Information Card system, but these are changing the underlying protocols in such a way, that most of it "OpenID-ness" is benig replaced by the WS-* protocol suite of the Information Card model. Other attempts to increase the security of OpenID (such as the PAPE extensions or browser supported authentication) can help to address some of the security issues, but a number of vectors to attack the system remain wide open.

Regards,

Gerald Beuchelt

Private message disabled

beuchelt

beuchelt
R&D, MA
Member since: August 2008

Site Activity Rating:

3

 


  • Previous comment

  • Reply to this comment
  • Return to story
  • Report this as offensive


Full Talkback thread


Video icon

Video

Sentry Posts Blog

Authentication risks all too human

Risks to successful online banking identification and authentication using smartcards involve a mixture of human and technological factors, according to the European Network and Information... More

1 comment

Opera censors Chinese content

Opera has updated the Chinese version of its mobile browser to stop users accessing restricted content. Opera Mini was updated on Friday from an international to a Chinese version,... More

2 comments

Symantec website breached

Security company Symantec has said that one of its websites was successfully breached. Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday. Unu... More

Post a comment

Featured Talkback

In association with Network Liberation Movement
It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters