Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Risks with OpenID Remember,  with great comfort . comes  great security risk . – Spiderman style ;)
What is OpenID  (wikipedia) <ul><li>OpenID is a shared identity service, which allows Internet users to log on to many dif...
<ul><li>Easy for user </li></ul><ul><li>Complex to implement </li></ul><ul><li>Not so difficult to do  phishing </li></ul>...
<ul><li>Remember single username and password for many sites </li></ul><ul><li>Need not create a new account on a new site...
Popular OpenID providers <ul><li>Flickr :  http://www.flickr.com/photos/ username  </li></ul><ul><li>Verisign :  http:// u...
Risks with OpenID <ul><li>Phishing Attacks   </li></ul><ul><li>Probably the biggest concern with OpenID. Users may be tric...
Risks with OpenID… (contd) <ul><li>Man-in-the-middle Attacks   </li></ul><ul><li>If the connection is negotiated over weak...
Risks with OpenID… (contd) <ul><li>Replay Attacks </li></ul><ul><li>The URL from the relaying party can be sniffed, unless...
Risks with OpenID… (contd) <ul><li>CSRF  (Cross-site request forgery)  Attacks </li></ul><ul><li>Once the victim is logged...
Risks with OpenID… (contd) <ul><li>XSS Attacks   </li></ul><ul><li>Once the user is logged in attackers might be able to e...
Not against OpenID <ul><li>No I’m not at all against OpenID. </li></ul><ul><li>It’s a great idea  and will make online lif...
Recommendation <ul><li>NEVER EVER  use OpenID or Single-Sign-On for  banks  or  credit cards </li></ul><ul><li>Always use ...
Further reading <ul><li>OpenID security issues </li></ul><ul><ul><li>http://www.thespanner.co.uk/2007/06/29/openid-securit...
Confused??? <ul><li>Drop me a mail  </li></ul><ul><li>rohit@ club hack .com  </li></ul><ul><li>I   MIGHT  be able to help ...
Upcoming SlideShare
Loading in …5
×

Risks With OpenID

7,119 views

Published on

clubhack advisory on OpenID

Published in: Technology, Design
  • Be the first to comment

Risks With OpenID

  1. Risks with OpenID Remember, with great comfort . comes great security risk . – Spiderman style ;)
  2. What is OpenID (wikipedia) <ul><li>OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity. Eliminating the need for a different user name and password for each site. </li></ul><ul><li>OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide. </li></ul>
  3. <ul><li>Easy for user </li></ul><ul><li>Complex to implement </li></ul><ul><li>Not so difficult to do phishing </li></ul><ul><li>You loose one ID and you loose complete web. </li></ul>
  4. <ul><li>Remember single username and password for many sites </li></ul><ul><li>Need not create a new account on a new site, use the same everywhere (mostly) </li></ul><ul><li>Allow timed access </li></ul><ul><ul><li>Allow site X to use this authentication from date ‘a’ till date ‘b’ </li></ul></ul>Benefits
  5. Popular OpenID providers <ul><li>Flickr : http://www.flickr.com/photos/ username </li></ul><ul><li>Verisign : http:// username .pip.verisignlabs.com/ </li></ul><ul><li>Technorati : http://technorati.com/people/technorati/ username </li></ul><ul><li>Blogger : http:// blogname .blogspot.com </li></ul><ul><li>Wordpress : http:// username .wordpress.com </li></ul><ul><li>& now </li></ul><ul><li>Google : https://www.google.com/accounts/o8/id?id= username </li></ul><ul><li>its actually not an OpenID  read here </li></ul>
  6. Risks with OpenID <ul><li>Phishing Attacks </li></ul><ul><li>Probably the biggest concern with OpenID. Users may be tricked into providing their credentials to phished OpenID provider website. </li></ul><ul><li>This site might look like your original OpenID provider and you might loose your password for all the services affiliated to OpenID </li></ul>
  7. Risks with OpenID… (contd) <ul><li>Man-in-the-middle Attacks </li></ul><ul><li>If the connection is negotiated over weak encryption then it is subjected to interception attacks. </li></ul><ul><li>Ensure that you are using HTTPS and you know how to use HTTPS safely  </li></ul>
  8. Risks with OpenID… (contd) <ul><li>Replay Attacks </li></ul><ul><li>The URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed. </li></ul><ul><li>Solution again is HTTPS </li></ul>
  9. Risks with OpenID… (contd) <ul><li>CSRF (Cross-site request forgery) Attacks </li></ul><ul><li>Once the victim is logged in malicious user might be able to execute CSRF attacks against other sites. </li></ul><ul><li>Oops… ;( </li></ul><ul><li><iframe id=&quot;login&quot; src=&quot; http://bank.com/login?openid_url = user.openid.net &quot; width=&quot;0&quot; height=&quot;0&quot;></iframe> </li></ul>
  10. Risks with OpenID… (contd) <ul><li>XSS Attacks </li></ul><ul><li>Once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence. </li></ul><ul><li>If attacker can do it through OpenID then why not? </li></ul>
  11. Not against OpenID <ul><li>No I’m not at all against OpenID. </li></ul><ul><li>It’s a great idea and will make online life lot more easier. </li></ul><ul><li>User must be aware of safe usage. </li></ul><ul><li>Implementers should take care of most of the security risk. </li></ul>
  12. Recommendation <ul><li>NEVER EVER use OpenID or Single-Sign-On for banks or credit cards </li></ul><ul><li>Always use HTTPS and know how to use it safely </li></ul><ul><li>Better be paranoid than sorry  like the condom ad “better safe than worry” </li></ul>
  13. Further reading <ul><li>OpenID security issues </li></ul><ul><ul><li>http://www.thespanner.co.uk/2007/06/29/openid-security-issues/ </li></ul></ul><ul><li>OpenID: Phishing Heaven </li></ul><ul><ul><li>http://www.links.org/?p=187 </li></ul></ul><ul><li>OpenID: Phishing Heaven II </li></ul><ul><ul><li>http://www.links.org/?p=188 </li></ul></ul><ul><li>Problems with OpenID </li></ul><ul><ul><li>http://idcorner.org/2007/08/22/the-problems-with-openid/ </li></ul></ul><ul><li>Phishing risk </li></ul><ul><ul><li>http://stii.za.net/semanticweb/openid-phishing-risks-be-careful/ </li></ul></ul><ul><li>Solving phishing problem </li></ul><ul><ul><li>http://simonwillison.net/2007/Jan/19/phishing/ </li></ul></ul>
  14. Confused??? <ul><li>Drop me a mail </li></ul><ul><li>rohit@ club hack .com </li></ul><ul><li>I MIGHT be able to help you  </li></ul>

×