WebApp Sec mailing list archives
RE: OpenID and the web
From: "Chris Grove" <cgrove () imperva com>
Date: Thu, 27 Mar 2008 16:02:05 -0700
I'm my opinion, SSO works best for companies that have many disconnected internal applications and want to make password management easier for its internal users. SSO is generally installed on the webservers and app servers, and checks to see who the logged in user is, than applies the appropriate credentials for the requested resource. Storing passwords locally for use with separate websites gives the user the 'feeling' of SSO, but in my opinion is not truly SSO. I would consider that more of a password replay application... Regards, Chris Grove, CISSP, NSA-IAM Professional Services Consultant +1 (813) 508-8591 Mobile cgrove () imperva com http://iMPERVA.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Wall Sent: Thursday, March 27, 2008 11:31 AM To: Babu.N Cc: Eric Marden; webappsec () securityfocus com Subject: Re: OpenID and the web
Yes, it is difficult to configure it for supporting sites. But it does save us from registering at multiple webistes & remembering the passwords of each of them.
Single sign-on only is truly useful if nearly all sites adopt it, unfortunately. After all, I have a Password Safe file that contains 225 entries now (many are business-related, but many are for the various personal sites I'm registered at). If 25 sites adopt a common SSO, I'd still have 200 entries, meaning I'd still need/use Password Safe (or other password manager, which is really extremely useful and easy to use and allows me to effectively remember all passwords by only remembering one good pass phrase that never is shared with anybody). If they all adopted, then I wouldn't need it, which would be awesome, but seems unlikely to happen, and of course there are passwords I have to "remember" that are not for web sites. Also, isn't entering the pseudo-random numbers subject to MITM with replay attack? I've not researched it much, but in general you need to ID yourself and give the value, at which time the info used could be replayed. Also, those in control the ID databases have to be trusted that their employees/contractors/outsourcers won't somehow steal or otherwise lose control of the data, something we see all the time with sensitive financial and medical records. If you break my password at one site today (such as a data loss or other phishing scam, etc.), you don't get access to all my accounts like you would through SSO. Don't get me wrong, I like SSO in general, but I think "universal SSO" is extremely unlikely. There are control issues, liability issues, risk management issues and just plain old competitor cooperation issues. David ------------------------------------------------------------------------ - Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------ - ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: OpenID and the web, (continued)
- Re: OpenID and the web Adrian Migraso (Mar 25)
- Re: OpenID and the web Eric Marden (Mar 26)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Jeff Robertson (Mar 27)
- RE: OpenID and the web Calderon, Juan Carlos (GE, Corporate, consultant) (Mar 27)
- Re: OpenID and the web Lucas Oman (Mar 27)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web David Wall (Mar 27)
- Re: OpenID and the web Jeremiah Cornelius (Mar 27)
- RE: OpenID and the web Chris Grove (Mar 28)
- Re: OpenID and the web baldr (Mar 27)