Risks with OpenID Remember, with great comfort . comes great security risk . – Spiderman style ;)

What is OpenID (wikipedia) OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity. Eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.

OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity. Eliminating the need for a different user name and password for each site.

OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.

Easy for user Complex to implement Not so difficult to do phishing You loose one ID and you loose complete web.

Easy for user

Complex to implement

Not so difficult to do phishing

You loose one ID and you loose complete web.

Remember single username and password for many sites Need not create a new account on a new site, use the same everywhere (mostly) Allow timed access Allow site X to use this authentication from date ‘a’ till date ‘b’ Benefits

Remember single username and password for many sites

Need not create a new account on a new site, use the same everywhere (mostly)

Allow timed access

Allow site X to use this authentication from date ‘a’ till date ‘b’

Popular OpenID providers Flickr : http://www.flickr.com/photos/ username Verisign : http:// username .pip.verisignlabs.com/ Technorati : http://technorati.com/people/technorati/ username Blogger : http:// blogname .blogspot.com Wordpress : http:// username .wordpress.com & now Google : https://www.google.com/accounts/o8/id?id= username its actually not an OpenID  read here

Flickr : http://www.flickr.com/photos/ username

Verisign : http:// username .pip.verisignlabs.com/

Technorati : http://technorati.com/people/technorati/ username

Blogger : http:// blogname .blogspot.com

Wordpress : http:// username .wordpress.com

& now

Google : https://www.google.com/accounts/o8/id?id= username

its actually not an OpenID  read here

Risks with OpenID Phishing Attacks Probably the biggest concern with OpenID. Users may be tricked into providing their credentials to phished OpenID provider website. This site might look like your original OpenID provider and you might loose your password for all the services affiliated to OpenID

Phishing Attacks

Probably the biggest concern with OpenID. Users may be tricked into providing their credentials to phished OpenID provider website.

This site might look like your original OpenID provider and you might loose your password for all the services affiliated to OpenID

Risks with OpenID… (contd) Man-in-the-middle Attacks If the connection is negotiated over weak encryption then it is subjected to interception attacks. Ensure that you are using HTTPS and you know how to use HTTPS safely 

Man-in-the-middle Attacks

If the connection is negotiated over weak encryption then it is subjected to interception attacks.

Ensure that you are using HTTPS and you know how to use HTTPS safely 

Risks with OpenID… (contd) Replay Attacks The URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed. Solution again is HTTPS

Replay Attacks

The URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed.

Solution again is HTTPS

Risks with OpenID… (contd) CSRF (Cross-site request forgery) Attacks Once the victim is logged in malicious user might be able to execute CSRF attacks against other sites. Oops… ;( <iframe id=&quot;login&quot; src=&quot; http://bank.com/login?openid_url = user.openid.net &quot; width=&quot;0&quot; height=&quot;0&quot;></iframe>

CSRF (Cross-site request forgery) Attacks

Once the victim is logged in malicious user might be able to execute CSRF attacks against other sites.

Oops… ;(

<iframe id=&quot;login&quot; src=&quot; http://bank.com/login?openid_url = user.openid.net &quot; width=&quot;0&quot; height=&quot;0&quot;></iframe>

Risks with OpenID… (contd) XSS Attacks Once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence. If attacker can do it through OpenID then why not?

XSS Attacks

Once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence.

If attacker can do it through OpenID then why not?

Not against OpenID No I’m not at all against OpenID. It’s a great idea and will make online life lot more easier. User must be aware of safe usage. Implementers should take care of most of the security risk.

No I’m not at all against OpenID.

It’s a great idea and will make online life lot more easier.

User must be aware of safe usage.

Implementers should take care of most of the security risk.

Recommendation NEVER EVER use OpenID or Single-Sign-On for banks or credit cards Always use HTTPS and know how to use it safely Better be paranoid than sorry  like the condom ad “better safe than worry”

NEVER EVER use OpenID or Single-Sign-On for banks or credit cards

Always use HTTPS and know how to use it safely

Better be paranoid than sorry  like the condom ad “better safe than worry”

Further reading OpenID security issues http://www.thespanner.co.uk/2007/06/29/openid-security-issues/ OpenID: Phishing Heaven http://www.links.org/?p=187 OpenID: Phishing Heaven II http://www.links.org/?p=188 Problems with OpenID http://idcorner.org/2007/08/22/the-problems-with-openid/ Phishing risk http://stii.za.net/semanticweb/openid-phishing-risks-be-careful/ Solving phishing problem http://simonwillison.net/2007/Jan/19/phishing/

OpenID security issues

http://www.thespanner.co.uk/2007/06/29/openid-security-issues/

OpenID: Phishing Heaven

http://www.links.org/?p=187

OpenID: Phishing Heaven II

http://www.links.org/?p=188

Problems with OpenID

http://idcorner.org/2007/08/22/the-problems-with-openid/

Phishing risk

http://stii.za.net/semanticweb/openid-phishing-risks-be-careful/

Solving phishing problem

http://simonwillison.net/2007/Jan/19/phishing/

Confused??? Drop me a mail rohit@ club hack .com I MIGHT be able to help you 

Drop me a mail

rohit@ club hack .com

I MIGHT be able to help you 