Risks With OpenID

Risks with OpenID Remember, with great comfort . comes great security risk . – Spiderman style ;)

What is OpenID (wikipedia)
OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity. Eliminating the need for a different user name and password for each site.
OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.

Easy for user
Complex to implement
Not so difficult to do phishing
You loose one ID and you loose complete web.

Remember single username and password for many sites
Need not create a new account on a new site, use the same everywhere (mostly)
Allow timed access
Allow site X to use this authentication from date ‘a’ till date ‘b’
Benefits

Popular OpenID providers
Flickr : http://www.flickr.com/photos/ username
Verisign : http:// username .pip.verisignlabs.com/
Technorati : http://technorati.com/people/technorati/ username
Blogger : http:// blogname .blogspot.com
Wordpress : http:// username .wordpress.com
& now
Google : https://www.google.com/accounts/o8/id?id= username
its actually not an OpenID  read here

Risks with OpenID
Phishing Attacks
Probably the biggest concern with OpenID. Users may be tricked into providing their credentials to phished OpenID provider website.
This site might look like your original OpenID provider and you might loose your password for all the services affiliated to OpenID

Risks with OpenID… (contd)
Man-in-the-middle Attacks
If the connection is negotiated over weak encryption then it is subjected to interception attacks.
Ensure that you are using HTTPS and you know how to use HTTPS safely 

Replay Attacks
The URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed.
Solution again is HTTPS

CSRF (Cross-site request forgery) Attacks
Once the victim is logged in malicious user might be able to execute CSRF attacks against other sites.
Oops… ;(
<iframe id="login" src=" http://bank.com/login?openid_url = user.openid.net " width="0" height="0"></iframe>

XSS Attacks
Once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence.
If attacker can do it through OpenID then why not?

Not against OpenID
No I’m not at all against OpenID.
It’s a great idea and will make online life lot more easier.
User must be aware of safe usage.
Implementers should take care of most of the security risk.

Recommendation
NEVER EVER use OpenID or Single-Sign-On for banks or credit cards
Always use HTTPS and know how to use it safely
Better be paranoid than sorry  like the condom ad “better safe than worry”

Further reading
OpenID security issues
http://www.thespanner.co.uk/2007/06/29/openid-security-issues/
OpenID: Phishing Heaven
http://www.links.org/?p=187
OpenID: Phishing Heaven II
http://www.links.org/?p=188
Problems with OpenID
http://idcorner.org/2007/08/22/the-problems-with-openid/
Phishing risk
http://stii.za.net/semanticweb/openid-phishing-risks-be-careful/
Solving phishing problem
http://simonwillison.net/2007/Jan/19/phishing/

Confused???
Drop me a mail
rohit@ club hack .com
I MIGHT be able to help you 

http://punetech.com	79
http://rohit11.blogspot.com	45
http://blog.rohit11.com	34
http://www.slideshare.net	20
http://blogs.siliconindia.com	7
http://www.blogger.com	1
http://www.siliconindia.com	1
http://translate.googleusercontent.com	1

Risks With OpenID

by Rohit Srivastwa on Oct 29, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

8 Embeds 188

Statistics

Risks With OpenID — Presentation Transcript