Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: OpenID and the web
From: David Wall <dwall () yozons com>
Date: Thu, 27 Mar 2008 08:30:37 -0700


Yes, it is difficult to configure it for supporting sites.
But it does save us from registering at multiple webistes & remembering the passwords of each of them.
Single sign-on only is truly useful if nearly all sites adopt it, unfortunately. After all, I have a Password Safe file that contains 225 entries now (many are business-related, but many are for the various personal sites I'm registered at). If 25 sites adopt a common SSO, I'd still have 200 entries, meaning I'd still need/use Password Safe (or other password manager, which is really extremely useful and easy to use and allows me to effectively remember all passwords by only remembering one good pass phrase that never is shared with anybody). If they all adopted, then I wouldn't need it, which would be awesome, but seems unlikely to happen, and of course there are passwords I have to "remember" that are not for web sites.
Also, isn't entering the pseudo-random numbers subject to MITM with replay attack? I've not researched it much, but in general you need to ID yourself and give the value, at which time the info used could be replayed. Also, those in control the ID databases have to be trusted that their employees/contractors/outsourcers won't somehow steal or otherwise lose control of the data, something we see all the time with sensitive financial and medical records. If you break my password at one site today (such as a data loss or other phishing scam, etc.), you don't get access to all my accounts like you would through SSO.
Don't get me wrong, I like SSO in general, but I think "universal SSO" is extremely unlikely. There are control issues, liability issues, risk management issues and just plain old competitor cooperation issues. 

David

-------------------------------------------------------------------------
Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]