Comments on: OpenID - A Security Story

By: A Brief Analysis of OpenID at Jon’s View

A Brief Analysis of OpenID at Jon’s View — Thu, 31 Jul 2008 05:09:13 +0000

[...] http://www.gnucitizen.org/blog.....ity-story/ [...]

By: Hijacking OpenID enabled Accounts » Inking’s Security Blog

Hijacking OpenID enabled Accounts » Inking’s Security Blog — Mon, 04 Feb 2008 02:28:56 +0000

[...] has been a long time since I last spoke about OpenID. Today I would like to draw your attention to a tiny problem, which I found among [...]

By: Hijacking OpenID enabled Accounts | GNUCITIZEN

Hijacking OpenID enabled Accounts | GNUCITIZEN — Sun, 03 Feb 2008 16:08:52 +0000

[...] OpenID enabled Accounts published: February 3rd, 2008 It has been a long time since I last spoke about OpenID. Today I would like to draw your attention to a tiny problem, which I found among [...]

By: mario

mario — Wed, 29 Aug 2007 19:00:07 +0000

OpenID is not an authentication protocol. It is meant solely for homepage URL verification. It’s not user-friendly and was never meant as generic login scheme for the web. It restricts itself to the technical experienced, so you can practically rule out phishing scams. The other security gaps might be troublesome, but hey, I see you are running Wordpress anyhow…

By: OpenID security issues » Ruby on Rails Security Blog

OpenID security issues » Ruby on Rails Security Blog — Mon, 27 Aug 2007 11:15:22 +0000

[...] more general article about OpenID security issues can be found on GNUCITIZEN. « RedCloth security thoughts | [...]

By: pdp

pdp — Tue, 21 Aug 2007 13:12:02 +0000

Ronald, I see what u mean. However, I would rather not start with certificates and stuff. It will make it too damn difficult to work it. I cannot see this happening. Moreover, Web2.0 mashups wont fit into tis model. There must be something else… or maybe not. Maybe the Web is just screwed up from day one and this is how it will remain forever.

By: Ronald

Ronald — Tue, 21 Aug 2007 13:03:27 +0000

Indeed PDP, that is the biggest problem. Because the end-user is at risk here not the site owner persee. And I’ve pondered this question for a long time. Preventing it from happening in the browser is next to impossible. If we sitch to a different browser model we could potentially solve it.

I have ideas, but they are only ideas.

One of them is to sign all external content that is being requested. If it’s unsigned it fails to load and thereby it prevents CSRF minimaly. The thing is, how do you sign it? if the browser must sign it, it must know the sites key. And there you have a key management problem.

Another idea is to disallow any Javascript inclusion below the head tag -which is the toughest to control in case of an XSS- therby making sure all Javascript inclusions are only done in the head, and they may not be dymanically be altered: so signing them is an option.

So I have a couple of hints & clues, no absolute awnser. There is a lot to be investigated in this area.

By: pdp

pdp — Mon, 20 Aug 2007 15:43:52 +0000

Gareth, yes of course, but what I meant is preventing CSRF on browser level… otherwise we relay on the external site getting their security model right.

By: Gareth Heyes

Gareth Heyes — Mon, 20 Aug 2007 15:38:51 +0000

@pdp

CSRF can be secured with form tokens and random page names. If the attacker doesn’t know what the script is called then he can’t perform a CSRF.

By: Identity 2.0 » Blog Archive » OpenID - A Security Story

Identity 2.0 » Blog Archive » OpenID - A Security Story — Mon, 20 Aug 2007 13:46:26 +0000

[...] rest is here: OpenID - A Security Story Identity [...]

By: pdp

pdp — Mon, 20 Aug 2007 12:53:48 +0000

Jordan, yes preventing CSRF is not an easy task. I personally don’t know how this can be secured at browser level. Therefore, we need to relay on the remote website being responsible enough to take the necessary actions. The script you’ve provided is good but I was thinking is for the browser having the ability to detect the OpenID provider and force it in there.

Gareth, yes OpenID systems are full of CSRF today. It is not even funny. I don’t know what developers were thinking when developing these systems. Thanks for the link.

By: Gareth Heyes

Gareth Heyes — Mon, 20 Aug 2007 12:20:14 +0000

I did a bit of OpenID security testing and I found many providers open to CSRF attacks. I found a exploit against MyOpenID and helped many others fix their problems. But I’m still not confident in OpenID security and providers need to up their game if it is to be ever considered for real world usage.

My exploit can be found here, if anyone finds it interesting:-
http://www.thespanner.co.uk/20.....ty-issues/

By: Jordan

Jordan — Mon, 20 Aug 2007 12:03:07 +0000

I imagine a variant of this greasemonkey script would work:

http://userscripts.org/scripts/show/1404

At least for forcing HTTPS. CSRF against identity provider domain requires a bit more thought. For example — aren’t the open id pictures stored on their domain? And surely we want to allow linking to the domain in general. Separating out which requests are potentially malicious CSRF would require all “action” urls to be obvious on the domain. To be honest, I haven’t looked at Open ID yet to know whether that’s the case.