Full Disclosure mailing list archives
Re: OpenID. The future of authentication on the web?
From: "John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec () gmail com>
Date: Mon, 24 Mar 2008 10:32:10 -0500
When it comes to IT... the user is the *last* person I want empowered. On Mon, Mar 24, 2008 at 10:21 AM, Petko D. Petkov < pdp.gnucitizen () googlemail com> wrote:
on your last comment, OpenID is exactly design for that! To give the power back to the user! On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl <pauls () utdallas edu> wrote:--On Monday, March 24, 2008 09:13:38 +0000 "Petko D. Petkov" <pdp.gnucitizen () googlemail com> wrote: >>Yes, and convenience is often the enemy of security.>> > > Not always. I think complexity is the enemy of security. The simpler > the system is the less chance to screw up, the more secure it is. It > is much easier to secure a single port then a class B network, don't > you think? > Of course. Both complexity *and* convenience of often the enemies ofsecurity.:-)> First of all, we've proved time and time again that people do reuse > passwords. Password reuse is a huge problem and it is due to our > inefficiency of memorizing partial information which is notassociated> with anything substrantial. In psychology this is known as theprocess> of anchoring and if you master how to anchor then you can master > memorizing large sets of useless data without getting corrupted > sectors in your brain. A good start is reading Darren Brown's book > "Trick of the Mind". > I don't disagree. > On another note, capturing my OpenID credentials wouldn't be as easy > as you say. First of all if the OpenID provider has a valid, > authorized SSL certificate you won't be even able to see when creds > are flaying around. Second, I've mentioned one-time passwords interms> of keyfobs, rsa tokens, whatever. Even if you capture these > credentials you wont be able to use them and believe me, carrying one > keyfob just for your OpenID provider is a lot easer then having what > they call keyfob necklace in order to ensure a good security forevery> single site you visit. I think that verisign provides OpenID service > which is based on all that. > Verisign *requires* only alpha-numeric characters for my password formy *CAADMIN* account for our PKI system. That should tell you somethingaobut theirdedication to security. > Last but not least, lets say that you have access to the machine or > network and you can sniff the cookies and as such get access to the > openid account. Well, some OpenID providers have features where you > can configure the account to automatically destroy the session cookie > once an OpenID authentication is authorized. Your best chance is to > sniff or attack the sites where the user is logging into but any > problems associated with them are not problems withing OpenID andthey> will work independently of the authorization/identificationmechanism.> Getting access inside networks these days is trivial. There arehundreds andhundreds of compromised machines inside of corporate networks due tophishingscams and the ignorance of the average user. Furthermore, you can getaccessto at least 10% of the machines on any network simply by logging in as administrator or root (pick your OS) using either blank, password or root/administrator as the password. Add to that hundreds of trivial sql injection attacks and other easyattacks,and most networks are like swiss cheese. Once you're on one box inside, you can roam around freely and find away tocapture id information in the clear.> Well, PayPal is a lot more secure when it comes to money > transfers/transactions. Do you feel comfortable giving away your > credit card details to every single merchant from which you want to > purchase some goods. I don't! > You frame the question wrong. The real question is, do I feelcomfortableexposing $50 to risk by using a credit card or exposing every dollarI'vedeposited with Paypal to risk. And the $50 is waived if the vendor isculpablefor the loss. I scanned a card through a gas pump while on a vacation trip last year.WIthintwo hours someone had charged $1005 on that card. It cost me nothing.Thecharges were reversed, because it was clearly fraud. (I was in SouthCarolina- timestamped just two hours before - the charge was in El Paso.) The credit card industry is quite robust and equipped to handle fraud.Whathappens when an OpenID account is compromised and *every* account isdrainedand thousands of dollars are charged and *according to OpenID* it wasme?> Well, roll your own OpenID service. It takes 5 minutes and a coupleof> lines with PHP and you can make it as secure as you want.Isn't that > much better then trusting every single login prompt you see? > No, it's not, because a poorly secured site exposes only that data Ihaverevealed to them. OpenID opens a whole new realm of theft. But don't take my word for it. Just wait for the first big scam tooccur.First I phish your credentials. Or I induce you into installing atrojan onyour box. Then I get your OpenID username and password. Now I haveeverything.It *will* happen.> true but as I mentioned above and in my previous email, you can spend > good time securing your OpenID to the extend it is not feasible for > someone to attack it. We know that all encryption mechanisms are > vulnerable to brute force attacks but is it feasible to crack them? > No, not at all. Not now! Maybe when we get to personal quantum > computing we might have a chance but by that time we will switch to > quantum based cryptography. > Now you sound like Larry Ellison. :-) >> >> Now, there is no doubt that we need better user education. User*must*>> learn not to trust everything they get in email. They must alsolearn to>> use good passwords and not reuse them on every site they visit.There's>> also no doubt that some sites will do a lousy job of security andend up>> exposing a person's credentials (which is why you should usedifferent>> credentials on every site.) >> > > This is impossible! :) > Spoken like a true advocate for technological solutions to every humanproblem.>> >> We also need some sites to do a better job of requiring strongpasswords.>> (Some still require only alpha-numeric characters and two fewmaximum>> characters.) >> > > This is also impossible! :) > Not really. Think Sox, GLBA, PCI, etc., etc. >> >> But the idea that SSO makes sense outside the context of a singleentity>> that controls its userbase is misbegotten, in my opinion. Theindividual>> *user* should control their credentials, not some "foreign" entity,no>> matter how trustworthy they may claim to be. >> > > As I said, if you don't trust public OpenID providers, roll your own. > It is very, very, very easy. > You're misunderstanding my point. It's not that I necessarily distrustOpenIDproviders or the software itself. It's that I think the entireapproach tosolving the problem is wrong-headed. Data owners should control theaccess totheir data, not third parties. -- Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: OpenID. The future of authentication on the web?, (continued)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Gorn (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Gorn (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Valdis . Kletnieks (Mar 24)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)