Risks with OpenID Remember,  with great comfort . comes  great security risk . – Spiderman style ;)
What is OpenID  (wikipedia) <ul><li>OpenID is a shared identity service, which allows Internet users to log on to many dif...
<ul><li>Easy for user </li></ul><ul><li>Complex to implement </li></ul><ul><li>Not so difficult to do  phishing </li></ul>...
<ul><li>Remember single username and password for many sites </li></ul><ul><li>Need not create a new account on a new site...
Popular OpenID providers <ul><li>Flickr :  http://www.flickr.com/photos/ username  </li></ul><ul><li>Verisign :  http:// u...
Risks with OpenID <ul><li>Phishing Attacks   </li></ul><ul><li>Probably the biggest concern with OpenID. Users may be tric...
Risks with OpenID… (contd) <ul><li>Man-in-the-middle Attacks   </li></ul><ul><li>If the connection is negotiated over weak...
Risks with OpenID… (contd) <ul><li>Replay Attacks </li></ul><ul><li>The URL from the relaying party can be sniffed, unless...
Risks with OpenID… (contd) <ul><li>CSRF  (Cross-site request forgery)  Attacks </li></ul><ul><li>Once the victim is logged...
Risks with OpenID… (contd) <ul><li>XSS Attacks   </li></ul><ul><li>Once the user is logged in attackers might be able to e...
Not against OpenID <ul><li>No I’m not at all against OpenID. </li></ul><ul><li>It’s a great idea  and will make online lif...
Recommendation <ul><li>NEVER EVER  use OpenID or Single-Sign-On for  banks  or  credit cards </li></ul><ul><li>Always use ...
Further reading <ul><li>OpenID security issues </li></ul><ul><ul><li>http://www.thespanner.co.uk/2007/06/29/openid-securit...
Confused??? <ul><li>Drop me a mail  </li></ul><ul><li>rohit@ club hack .com  </li></ul><ul><li>I   MIGHT  be able to help ...
Upcoming SlideShare
Loading in …5
×

Risks With OpenID

7,002 views

Published on

clubhack advisory on OpenID

Published in: Technology, Design
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,002
On SlideShare
0
From Embeds
0
Number of Embeds
325
Actions
Shares
0
Downloads
85
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Risks With OpenID

  1. Risks with OpenID Remember, with great comfort . comes great security risk . – Spiderman style ;)
  2. What is OpenID (wikipedia) <ul><li>OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity. Eliminating the need for a different user name and password for each site. </li></ul><ul><li>OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide. </li></ul>
  3. <ul><li>Easy for user </li></ul><ul><li>Complex to implement </li></ul><ul><li>Not so difficult to do phishing </li></ul><ul><li>You loose one ID and you loose complete web. </li></ul>
  4. <ul><li>Remember single username and password for many sites </li></ul><ul><li>Need not create a new account on a new site, use the same everywhere (mostly) </li></ul><ul><li>Allow timed access </li></ul><ul><ul><li>Allow site X to use this authentication from date ‘a’ till date ‘b’ </li></ul></ul>Benefits
  5. Popular OpenID providers <ul><li>Flickr : http://www.flickr.com/photos/ username </li></ul><ul><li>Verisign : http:// username .pip.verisignlabs.com/ </li></ul><ul><li>Technorati : http://technorati.com/people/technorati/ username </li></ul><ul><li>Blogger : http:// blogname .blogspot.com </li></ul><ul><li>Wordpress : http:// username .wordpress.com </li></ul><ul><li>& now </li></ul><ul><li>Google : https://www.google.com/accounts/o8/id?id= username </li></ul><ul><li>its actually not an OpenID  read here </li></ul>
  6. Risks with OpenID <ul><li>Phishing Attacks </li></ul><ul><li>Probably the biggest concern with OpenID. Users may be tricked into providing their credentials to phished OpenID provider website. </li></ul><ul><li>This site might look like your original OpenID provider and you might loose your password for all the services affiliated to OpenID </li></ul>
  7. Risks with OpenID… (contd) <ul><li>Man-in-the-middle Attacks </li></ul><ul><li>If the connection is negotiated over weak encryption then it is subjected to interception attacks. </li></ul><ul><li>Ensure that you are using HTTPS and you know how to use HTTPS safely  </li></ul>
  8. Risks with OpenID… (contd) <ul><li>Replay Attacks </li></ul><ul><li>The URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed. </li></ul><ul><li>Solution again is HTTPS </li></ul>
  9. Risks with OpenID… (contd) <ul><li>CSRF (Cross-site request forgery) Attacks </li></ul><ul><li>Once the victim is logged in malicious user might be able to execute CSRF attacks against other sites. </li></ul><ul><li>Oops… ;( </li></ul><ul><li><iframe id=&quot;login&quot; src=&quot; http://bank.com/login?openid_url = user.openid.net &quot; width=&quot;0&quot; height=&quot;0&quot;></iframe> </li></ul>
  10. Risks with OpenID… (contd) <ul><li>XSS Attacks </li></ul><ul><li>Once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence. </li></ul><ul><li>If attacker can do it through OpenID then why not? </li></ul>
  11. Not against OpenID <ul><li>No I’m not at all against OpenID. </li></ul><ul><li>It’s a great idea and will make online life lot more easier. </li></ul><ul><li>User must be aware of safe usage. </li></ul><ul><li>Implementers should take care of most of the security risk. </li></ul>
  12. Recommendation <ul><li>NEVER EVER use OpenID or Single-Sign-On for banks or credit cards </li></ul><ul><li>Always use HTTPS and know how to use it safely </li></ul><ul><li>Better be paranoid than sorry  like the condom ad “better safe than worry” </li></ul>
  13. Further reading <ul><li>OpenID security issues </li></ul><ul><ul><li>http://www.thespanner.co.uk/2007/06/29/openid-security-issues/ </li></ul></ul><ul><li>OpenID: Phishing Heaven </li></ul><ul><ul><li>http://www.links.org/?p=187 </li></ul></ul><ul><li>OpenID: Phishing Heaven II </li></ul><ul><ul><li>http://www.links.org/?p=188 </li></ul></ul><ul><li>Problems with OpenID </li></ul><ul><ul><li>http://idcorner.org/2007/08/22/the-problems-with-openid/ </li></ul></ul><ul><li>Phishing risk </li></ul><ul><ul><li>http://stii.za.net/semanticweb/openid-phishing-risks-be-careful/ </li></ul></ul><ul><li>Solving phishing problem </li></ul><ul><ul><li>http://simonwillison.net/2007/Jan/19/phishing/ </li></ul></ul>
  14. Confused??? <ul><li>Drop me a mail </li></ul><ul><li>rohit@ club hack .com </li></ul><ul><li>I MIGHT be able to help you  </li></ul>

×