WebApp Sec: RE: OpenID and the web

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

RE: OpenID and the web

From: "Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon () ge com>
Date: Thu, 27 Mar 2008 11:31:03 -0400

Unfortunately another drawback is that SSO (in general) makes XSRF even
more dangerous as logging in one malicious site or if you have a Trojan
might compromise your data in several others sites and open the door to
a chain reaction similar to the XSS worm for Myspaces.

However SSO is a need for many people that anyway use password recycling
to obtain the "same effect".

If well used SSO could be beneficial as you can learn one single strong
password than dozens of easy-to-remember. 

Notice the "if well used" at the beginning of the statement "there is no
patch for stupidity"

Regards,
Juan Carlos Calderon

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Razi Shaban
Sent: Jueves, 27 de Marzo de 2008 05:47 a.m.
To: Babu.N
Cc: Eric Marden; webappsec () securityfocus com
Subject: Re: OpenID and the web

On 3/27/08, Babu.N <babun () intoto com> wrote:


 Yes, it is difficult to configure it for supporting sites.

 But it does save us from registering at multiple webistes &  
remembering the passwords of each of them.

It also makes it that much simpler for a malicious user to gain access
to every account you have after getting the password for only one.

If you use a different account name and password at every single
website, then if one account is compromised then all your other accounts
are safe.

--
Razi

------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment With the
rapid rise in the number and types of security threats, web application
security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this
Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be
considered a crucial phase in the development of any web application. What methodology should be followed? What tools
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

By Date By Thread

Current thread:

Re: OpenID and the web, (continued)
- Re: OpenID and the web Adrian Migraso (Mar 25)
- Re: OpenID and the web Eric Marden (Mar 26)
  - Re: OpenID and the web Babu.N (Mar 26)
    - Re: OpenID and the web Razi Shaban (Mar 27)
    - Re: OpenID and the web Jeff Robertson (Mar 27)
    - RE: OpenID and the web Calderon, Juan Carlos (GE, Corporate, consultant) (Mar 27)
    - Re: OpenID and the web Lucas Oman (Mar 27)
    - Re: OpenID and the web Razi Shaban (Mar 27)
    - Re: OpenID and the web David Wall (Mar 27)
    - Re: OpenID and the web Jeremiah Cornelius (Mar 27)
    - RE: OpenID and the web Chris Grove (Mar 28)