Full Disclosure mailing list archives

Re: OpenID. The future of authentication on the web?

From: "Petko D. Petkov" <pdp.gnucitizen () googlemail com>
Date: Mon, 24 Mar 2008 15:15:53 +0000

comments inlined

On Mon, Mar 24, 2008 at 2:43 PM, Steven Rakick <stevenrakick () yahoo com> wrote:

Let's be realistic here. It's not about the technical
 feasibility, it's about an open standard people trust
 and have bought into. This is what Information Cards
 are in my mind, much the same as OpenID.

 Sure you could go out and create an extension to serve
 the same purpose in your own way, but who would trust
 it? I mean PDP is known for javascript port scanning
 via XSS (i know you've done more but...), not
 authentication.


what do u mean by saying "not authentication", and how is that related
to the topic? and why wouldn't you trust it? :) do you code everything
yourself so that you trust it? I am just curious to understand what do
you mean, that's all.


 My point is simple. With OpenID + Information Cards
 much of the security concerns/weaknesses (phishing,
 passwords theft/loss) around OpenID as a protocol are
 addressed. Sure you still have to trust the provider
 (or write your own), but the implementation can be
 secure, open and publically accessible using currently
 available and supported web technologies. Beemba and
 MyOpenID currently do this.

 BTW, Firefox 3 will have support for Information Cards
 by default and an extension is available for Firefox 2
 at Codeplex.

 -sr

 On Mon, Mar 24, 2008 at 5:25 AM, Petko D. Petkov

<pdp.gnucitizen () googlemail com> wrote:

Let's put it this way,

 >
 > It is easy to prevent phishing attacks against
 OpenID on the
 > client-side with browser extensions. In fact, I
 think that Firefox
 > will make this feature a default in their upcoming
 versions. It could
 > work exactly the same as the current trusted
 certificate authorities
 > every single web browser comes with. You will have a
 list of trusted
 > OpenID providers domains which are also
 cross-matched with their SSL
 > certificates and URLs. Done!
 >
 > If firefox is not planning to implement this
 feature, heck I will code
 > it myself. This is a hello world XUL extension.
 >
 > pdp
 >
 >
 > On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick
 <stevenrakick () yahoo com> wrote:
 > > Many of you have brought up that OpenID is
 vulnerable
 > >  to phishing and have highlighted weaknesses
 specific
 > >  traditional username/password authentication.
 > >
 > >  This was the main reason I bought up Information
 Cards
 > >  in my original post. I've noticed that Beemba
 > >  (http://www.beemba.com) and MyOpenID
 > >  (http://www.myopenid.com) have both implemented
 > >  Information Cards as an authentication option.
 > >
 > >  Good idea?
 > >
 > >  It seems to me that if you were to rely on
 Information
 > >  Cards as opposed to username/password the
 phishing
 > >  angle is mitigated. Is this not the case?
 > >
 > >  -sr
 > >
 > >
 > >
 > >
 ____________________________________________________________________________________
 > >  Be a better friend, newshound, and
 > >  know-it-all with Yahoo! Mobile.  Try it now.
 http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
 > >
 > >
 > >
 > >  _______________________________________________

 Full-Disclosure - We believe in it.

 > >  Charter:
 http://lists.grok.org.uk/full-disclosure-charter.html
 > >  Hosted and sponsored by Secunia -
 http://secunia.com/
 > >
 >
 >
 >
 > --

 > Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin
 Hunters
 >
 > gnucitizen.org | hakiri.org | spinhunters.org
 >

_______________________________________________

 >
 > Full-Disclosure - We believe in it.
 > Charter:
 http://lists.grok.org.uk/full-disclosure-charter.html
 > Hosted and sponsored by Secunia -
 http://secunia.com/
 >



      ____________________________________________________________________________________
 Never miss a thing.  Make Yahoo your home page.
 http://www.yahoo.com/r/hs

 _______________________________________________


Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/




-- 

Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters

gnucitizen.org | hakiri.org | spinhunters.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- <Possible follow-ups>
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 24)
  - Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)