Full Disclosure mailing list archives
Re: OpenID. The future of authentication on the web?
From: Steven Rakick <stevenrakick () yahoo com>
Date: Mon, 24 Mar 2008 07:43:27 -0700 (PDT)
Let's be realistic here. It's not about the technical feasibility, it's about an open standard people trust and have bought into. This is what Information Cards are in my mind, much the same as OpenID. Sure you could go out and create an extension to serve the same purpose in your own way, but who would trust it? I mean PDP is known for javascript port scanning via XSS (i know you've done more but...), not authentication. My point is simple. With OpenID + Information Cards much of the security concerns/weaknesses (phishing, passwords theft/loss) around OpenID as a protocol are addressed. Sure you still have to trust the provider (or write your own), but the implementation can be secure, open and publically accessible using currently available and supported web technologies. Beemba and MyOpenID currently do this. BTW, Firefox 3 will have support for Information Cards by default and an extension is available for Firefox 2 at Codeplex. -sr On Mon, Mar 24, 2008 at 5:25 AM, Petko D. Petkov <pdp.gnucitizen () googlemail com> wrote:
Let's put it this way, It is easy to prevent phishing attacks against
OpenID on the
client-side with browser extensions. In fact, I
think that Firefox
will make this feature a default in their upcoming
versions. It could
work exactly the same as the current trusted
certificate authorities
every single web browser comes with. You will have a
list of trusted
OpenID providers domains which are also
cross-matched with their SSL
certificates and URLs. Done! If firefox is not planning to implement this
feature, heck I will code
it myself. This is a hello world XUL extension. pdp On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick
<stevenrakick () yahoo com> wrote:
Many of you have brought up that OpenID is
vulnerable
to phishing and have highlighted weaknesses
specific
traditional username/password authentication. This was the main reason I bought up Information
Cards
in my original post. I've noticed that Beemba (http://www.beemba.com) and MyOpenID (http://www.myopenid.com) have both implemented Information Cards as an authentication option. Good idea? It seems to me that if you were to rely on
Information
Cards as opposed to username/password the
phishing
angle is mitigated. Is this not the case? -sr
____________________________________________________________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
_______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/
-- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin
Hunters
gnucitizen.org | hakiri.org | spinhunters.org _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
http://secunia.com/
____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- <Possible follow-ups>
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)