WebApp Sec mailing list archives
Re: OpenID and the web
From: David Wall <dwall () yozons com>
Date: Thu, 27 Mar 2008 08:30:37 -0700
Yes, it is difficult to configure it for supporting sites.But it does save us from registering at multiple webistes & remembering the passwords of each of them.
Single sign-on only is truly useful if nearly all sites adopt it, unfortunately. After all, I have a Password Safe file that contains 225 entries now (many are business-related, but many are for the various personal sites I'm registered at). If 25 sites adopt a common SSO, I'd still have 200 entries, meaning I'd still need/use Password Safe (or other password manager, which is really extremely useful and easy to use and allows me to effectively remember all passwords by only remembering one good pass phrase that never is shared with anybody). If they all adopted, then I wouldn't need it, which would be awesome, but seems unlikely to happen, and of course there are passwords I have to "remember" that are not for web sites.
Also, isn't entering the pseudo-random numbers subject to MITM with replay attack? I've not researched it much, but in general you need to ID yourself and give the value, at which time the info used could be replayed. Also, those in control the ID databases have to be trusted that their employees/contractors/outsourcers won't somehow steal or otherwise lose control of the data, something we see all the time with sensitive financial and medical records. If you break my password at one site today (such as a data loss or other phishing scam, etc.), you don't get access to all my accounts like you would through SSO.
Don't get me wrong, I like SSO in general, but I think "universal SSO" is extremely unlikely. There are control issues, liability issues, risk management issues and just plain old competitor cooperation issues.
David -------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: OpenID and the web, (continued)
- Re: OpenID and the web David Wall (Mar 25)
- Message not available
- Re: OpenID and the web David Wall (Mar 25)
- Message not available
- Re: OpenID and the web David Wall (Mar 25)
- Re: OpenID and the web Adrian Migraso (Mar 25)
- Re: OpenID and the web Eric Marden (Mar 26)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Jeff Robertson (Mar 27)
- RE: OpenID and the web Calderon, Juan Carlos (GE, Corporate, consultant) (Mar 27)
- Re: OpenID and the web Lucas Oman (Mar 27)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web David Wall (Mar 27)
- Re: OpenID and the web Jeremiah Cornelius (Mar 27)
- RE: OpenID and the web Chris Grove (Mar 28)
- Re: OpenID and the web baldr (Mar 27)