Blogger: Bob Blakley
At Catalyst North America in San Francisco, I noted in my “New-School Identity Systems” talk that OpenID does not define the relationship between usernames and the names of the OpenID servers which authenticate the owners of those usernames. I went on to predict that this would cause security problems.
A number of participants came up to me after the presentation and assured me that I was wrong, and that the lack of a defined set of trust anchor names and a defined set of rules for which portions of the user namespace each trust anchor was responsible for doesn’t create security issues with OpenID.
They were wrong and I was right; Eugene and Vlad Tsyrklevitch give details of the attacks I predicted in this paper from Black Hat 2007. Their “Step 2” and “Step 4” attacks are precisely the sorts of things I’ve been expecting to see. Thanks to Pamela Dingle for pointing me to the text of the paper, which I’d heard of but not seen until this morning. There’s an accompanying presentation here.
Great job on the OpenID writeup - the concerns you specified are very real and I agree that this technology is on the right track but still needs to mature a bit.
It will be somewhat difficult to come up with an acceptable method for Internet SSO - usually an in-house scenario makes use of an RSA token or other similar tool to provide much stronger authentication and verification of identify.
In this case, perhaps something along the lines of a "sign-in seal" on the OpenID site would be beneficial in providing an anti-phishing mechanism to protect online subscribers. This is only one piece of the puzzle as the other concerns you mentioned - specifically the WHAT users are allowed access to would still need to be solved.
JV.
www.securasys.net
"Information Security Solutions for an ever changing business environment"
Posted by: Jesse | September 19, 2007 at 09:39 AM