Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: OpenID. The future of authentication on the web?
From: Kern <timetrap () gmail com>
Date: Sun, 23 Mar 2008 12:49:09 -0400

OpenID represents (at least to the OSS world) the unified login structure
that has been the proprietary advantage of Microsoft for so long.  This will
be an excellent technology for business to use internally (who control their
own servers and services).  It allows the capabilities of Single Sign On
(SSO)to find a wider audience.

I did use OpenID for a few services  . . . it was nice, but I began to worry
about outages on the OpenID server.  If that server goes down, I may not be
able to log on to anything.  But in response to the previous statement:

In general, I am opposed to anything that encourages people to use the same
id and password across multiple domains.  The potential for complete
compromise of everything you have/own/are is too great.


In part I do agree. SSO can be dangerous, but it can also benefit the end
user. As an example: I have 15 websites that I use; banking, gmail, forums,
etc. Many people ALREADY have ONE or TWO password and user name combinations
for all of these websites.  If there is a compromise in the database of a
forum that I use, the recipients of this data now have my bank account login
as well as many other valid logins.

From my understanding this scenario would not be possible with OpenID, all
of the password hashes on stored on the OpenID servers, not in separate
databases on each website that I access.  But now because of the lack of a
unified auditing (OpenID keeps track of the authentication attempts) and my
inability to change passwords on all of the sites that I access at the same
time, I have to go to every web site that I access and change my user name
and password.

As far as the general public is concerned . . . I would recommend it in
limited use cases until the technology becomes more distributed and mature.
 The reliance of "One Login to Rule Them All" can be very dangerous.

Ideally the best way to go about this would be to create a replication
system (like DNS or USENET) where an update on one server is then made
available to all servers connected to the OpenID network (that network,
being worldwide, and moving transparently across political and business
borders).  But then OpenID, can become a means to control access to
services. Imagine worst case scenarios ; Rouge OpenID servers, Governments
denying access to seditious users, Identity theft on a grand scale, etc.

That being said; these scenarios (and many more) will keep Full Disclosure
and Computer Security Experts in business for a long long time.

As computers move away from a standalone platform and towards an always
networked application interface, we will need this OpenID model.  But it
needs a lot of work, and a lot of field testing.

--Joseph Kern

On Sun, Mar 23, 2008 at 11:50 AM, Paul Schmehl <pauls () utdallas edu> wrote:
--On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick

<stevenrakick () yahoo com> wrote:

Hello list,

I'm curious what the group thinks about the recent
surge in support for OpenID across the web and the
impact it will have.

1) Beemba - http://www.beemba.com
2) ClaimID - http://www.claimid.com
3) MyOpenID - http://www.myopenid.com
4) Many others...

These sites are gaining in popularity quickly and with
the announcements of support from big players Yahoo,
AOL, Microsoft and Google, combined with smaller
web2.0 celeb-run sites like Digg, OpenID appears to
what will eventually be the norm.

Thoughts?


In general, I am opposed to anything that encourages people to use the
same
id and password across multiple domains.  The potential for complete
compromise of everything you have/own/are is too great.

Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]