Re: OpenID and the web

["Pete Jansson" <pmjansson () gmail com>]

On Thu, Mar 27, 2008 at 7:47 AM, Razi Shaban <razishaban () gmail com> wrote:
> On 3/27/08, Babu.N <babun () intoto com> wrote:
>  >
>  >  Yes, it is difficult to configure it for supporting sites.
>  >
>  >  But it does save us from registering at multiple webistes &
>  >  remembering the passwords of each of them.
>
>  It also makes it that much simpler for a malicious user to gain access
>  to every account you have after getting the password for only one.
>
>  If you use a different account name and password at every single
>  website, then if one account is compromised then all your other
>  accounts are safe.

Almost nobody does that in practice, though, because most people still
manage their account names and passwords in their heads, and can't
remember too many different account names and passwords.  The case of
a person who meticulously uses unique account names and passwords is
sufficiently rare that engineering to that case would present either
substantially decreased usability or substantially increased risk (the
risk would rise as users worked around the unique account
name/password "problem").  Engineering should take account of the
actual user population.

Now, given the typical population, a single-sign on such as OpenID
might present an opportunity to a malicious user, but it also provides
the owner of the OpenID with one-stop-shopping for revoking the
password and limiting the damage.  Again, given the typical user, who,
statistically, will make poor password choices, the recovery benefit
may outweigh the compromise risk.

Additionally, there would be nothing to prevent a user from having
multiple OpenIDs.  OpenID providers should have different levels of
service with different authentication strengths -- from
username/password to tokens, or whatever.  Then the user can use their
choice of OpenID with a particular account, making the choice based on
the strength of authentication vs. the risk of the account. (I'm not
sure if I really care whether someone gets my Slashdot comment
account, but I would care about them having my Amazon One-Click
account [if I weren't too paranoid to One-Click].)

The other issue here is that session-level authentication still leaves
exposure to MITM attacks, if the session credential is replayable.
Web apps should be requiring secondary authentication for sensitive
transactions, even when the user has already authenticated.  (Amazon
and Yahoo! do this.)  There ought to be some mechanism for the site
and OpenID to recognize that a new authentication is required for a
particular transaction.  Does anyone know if OpenID does this?  I've
got some reading to do.

       Pete.

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------