Comments on: Identity 2.0 Security

By: OpenID provides a better security model | GNUCITIZEN

OpenID provides a better security model | GNUCITIZEN — Mon, 24 Mar 2008 12:25:25 +0000

[...] OpenID is and why it could turn a bit insecure. You can read more about this over here, here and here. Today, I would like to draw your attention on why I believe that OpenID based authentication is a [...]

By: Ronald

Ronald — Wed, 22 Aug 2007 15:09:16 +0000

haha yes you beat me there. ^^

By: pdp

pdp — Tue, 21 Aug 2007 21:06:52 +0000

yes, but plain text is not cool so we are stuck with the oldsmobile. :) maybe we can compete on F1 Grand prix but let’s make it at least convertible.

By: Ronald

Ronald — Tue, 21 Aug 2007 20:53:27 +0000

Yes that is true.

In the end the internet was never designed to perform the stuff everyone demands. Even authentication and identification schemes were only designed for accessing certain restricted areas on a server.

So basically we try to let this oldsmobile (the net) perform a F1 Grand prix.

And I figured we need to build a new racecar. Or quit joining a grand prix and go back to plain text.

By: pdp

pdp — Tue, 21 Aug 2007 20:02:00 +0000

sure, you are right. But when we use OpenID then we can afford to secure it as much as possible. I don’t mind using keyfobs in this case. Two factor authentication with one-time password is considered pretty secure authentication mechanism. However, without OpenID we cannot even start thinking using this for every site out there. It makes no sense.

What I would like to suggest is the following: Let’s stick to OpenID but we need to add some enhancements to the browser. For example, the browse detects when we use OpenID for the sites we visit and automatically forces HTTPS. If HTTPS is not available then it just gives up with 404 message or whatever. Now, this won’t prevent XSS or CSRF but it is a good start. Put the one-time password thing on the top and we have a system that scales well and it is a lot more secure then what we have today.

By: Ronald

Ronald — Tue, 21 Aug 2007 19:53:44 +0000

Yeah,

I always wonder what we try to solve here. OpenID only solves the strain of memorizing multiple passwords. But it doesn’t solve a security issue, it might even weaken it.

What if the sysadmin of OpenID has a password like this: qwerty123. Okay maybe not, but maybe he has it stored inside his GMail account, or uses the same pass for a forum.

By: pdp

pdp — Mon, 20 Aug 2007 20:26:28 +0000

Ronald, no you are absolutely right, but single sign on mechanisms solve a huge problem. With the advances in Web2.0 technology it makes no sense to register for each service out there. It is ridiculous. Imagine that you have to type separate username/password for every application you use on your desktop. So yes, although identity centric system can be hacked, and I doubt that we ever going to find the right balance, there are a lot better then what we have at the moment, which is a total chaos.

By: Ronald

Ronald — Mon, 20 Aug 2007 19:49:17 +0000

No I have to disagree, it’s like saying: buy this lock, it’s safer. I think it’s a sad fact that security just doesn’t exist. It’s a myth, and a bad nightmare. In the end that user will step into a snare one way or the other.

Almost no one pays attention what those fools at Google are doing. They already have a single sign on, and anyone with too much free time, already knows that I can access any Google service of a user if he happens to visit my CSRF Iframe and happens to be logged in only one of them. I discovered that GMail, Adsense, Adwords, Analytics are still vulnerable to a critical degree.

One cookie to rule them all, now that’s a great idea.

And yeah, teaching the user might be the biggest hurdle. Phishing will never stop because of the fact that you have to think like a conman in order not to be conned. Hence, that’s why people still fall for those Nigerian money letter fools.

By: OpenID - A Security Story | GNUCITIZEN

OpenID - A Security Story | GNUCITIZEN — Mon, 20 Aug 2007 10:16:03 +0000

[...] The other day Eugene Tsyrklevich has pinged me about his talk on OpenID security in regards to my article on Identity2.0 security issues that we face today. Eugene has presented an co-authored his research [...]

By: pdp

pdp — Mon, 20 Aug 2007 08:37:40 +0000

Ronald, OpenID is not that bad idea. However, it will take some time for the majority of users to learn how to use it effectively and moreover securely. This is the main concern with OpenID, but otherwise it will be one of the best things that have happened to the Web.

By: Ronald van den Heetkamp

Ronald van den Heetkamp — Sun, 19 Aug 2007 13:28:46 +0000

This is the same as OpenID if I am not mistaken? If so, Single Signon is a terrible idea. You can’t make life easier on the net. It’s contradicting security. Sure it will happen, it already has. But it scares me.

By: pdp

pdp — Sat, 18 Aug 2007 15:59:49 +0000

happy to hear that :)

By: Dick Hardt

Dick Hardt — Sat, 18 Aug 2007 15:50:22 +0000

Looking forward to you joining the conversation! The more security related analysis we have of Identity 2.0 at this point, the better it will be.