WebApp Sec mailing list archives
Re: OpenID and the web
From: "Pete Jansson" <pmjansson () gmail com>
Date: Thu, 27 Mar 2008 13:01:49 -0400
On Thu, Mar 27, 2008 at 7:47 AM, Razi Shaban <razishaban () gmail com> wrote:
On 3/27/08, Babu.N <babun () intoto com> wrote: > > Yes, it is difficult to configure it for supporting sites. > > But it does save us from registering at multiple webistes & > remembering the passwords of each of them. It also makes it that much simpler for a malicious user to gain access to every account you have after getting the password for only one. If you use a different account name and password at every single website, then if one account is compromised then all your other accounts are safe.
Almost nobody does that in practice, though, because most people still manage their account names and passwords in their heads, and can't remember too many different account names and passwords. The case of a person who meticulously uses unique account names and passwords is sufficiently rare that engineering to that case would present either substantially decreased usability or substantially increased risk (the risk would rise as users worked around the unique account name/password "problem"). Engineering should take account of the actual user population. Now, given the typical population, a single-sign on such as OpenID might present an opportunity to a malicious user, but it also provides the owner of the OpenID with one-stop-shopping for revoking the password and limiting the damage. Again, given the typical user, who, statistically, will make poor password choices, the recovery benefit may outweigh the compromise risk. Additionally, there would be nothing to prevent a user from having multiple OpenIDs. OpenID providers should have different levels of service with different authentication strengths -- from username/password to tokens, or whatever. Then the user can use their choice of OpenID with a particular account, making the choice based on the strength of authentication vs. the risk of the account. (I'm not sure if I really care whether someone gets my Slashdot comment account, but I would care about them having my Amazon One-Click account [if I weren't too paranoid to One-Click].) The other issue here is that session-level authentication still leaves exposure to MITM attacks, if the session credential is replayable. Web apps should be requiring secondary authentication for sensitive transactions, even when the user has already authenticated. (Amazon and Yahoo! do this.) There ought to be some mechanism for the site and OpenID to recognize that a new authentication is required for a particular transaction. Does anyone know if OpenID does this? I've got some reading to do. Pete. ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: OpenID and the web, (continued)
- Re: OpenID and the web Eric Marden (Mar 26)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Jeff Robertson (Mar 27)
- RE: OpenID and the web Calderon, Juan Carlos (GE, Corporate, consultant) (Mar 27)
- Re: OpenID and the web Lucas Oman (Mar 27)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web David Wall (Mar 27)
- Re: OpenID and the web Jeremiah Cornelius (Mar 27)
- RE: OpenID and the web Chris Grove (Mar 28)
- Re: OpenID and the web Eric Marden (Mar 26)
- Re: OpenID and the web baldr (Mar 27)