Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: OpenID and the web
From: David Wall <dwall () yozons com>
Date: Tue, 25 Mar 2008 14:09:02 -0700
I think you'll see more OpenID support than Passport and Lib Alliance. Check http://openiddirectory.com/ for some of the sites and providers. Also, check out Verisign labs (http://pip.verisignlabs.com). 

Let's hope so since there was no widespread adoption of the prior ones.
A nice, easy, multi-factor solution for using OpenID is to use the Verisign provider and a Paypal security key. When you login to an OpenId enabled site, you'll go to the Verisign site and have to login with the security key.
Sounds fine, but who's really going to adopt the key so it's more meaningful than for paypal/ebay users, few of whom really care whether there's a key or not to sell their collectible cards or other used trinkets.
An argument for OpenID with clients is that they are not responsible for authentication, Verisign or an authorized provider is now responsible for authentication. And the 2 factor authentication now can be used at my clients website for a $5 paypal key.
I see that this would be useful to me as a web site that would like to have such authentication for "free," but why would Verisign/Payapl want to do such authentication for others for free? Can they sell advertising for an authentication check, or will they attempt to charge using companies in the future for such checks? It may even lead to litigation, despite contract terms, that suggest if they "vouch" for the authentication that they'll somehow be blamed for the scam.
And it seems that scammers will just use phishing sites to collect this info, and then use the same two factors to try to scam the real web site -- as long as they do it within 30 seconds, a time that's reasonable for any electronic scam (there's no need to pause).
I've not heard of anybody actually using the $5 paypal key. It's not to say nobody does, just the original question was about any uptake we've seen, and I simply replied that we've not see any, nor have any of our customers/users requested it (yet). 

David


-------------------------------------------------------------------------
Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]