Identity 2.0 Security

Sat, 18 Aug 2007 07:41:22 GMT

A couple of months ago I was invited by InformIT to write an article on Identity 2.0 Security. I am generally interested in this subject so I decided to give it a try. The result is Identity 2.0: How Attackers Break into Identity-centric Services, which was published yesterday. For those who don't know what Identity 2.0 means, check the following video from Dick Hardt who was my personal inspiration to get involved into this subject.

Funny enough, Dick has responded to the above article with Identity 2.0 is insecure?. In his post he brings some interesting insights where Identity 2.0 is going security-wise. Apart from that, There is a lot more one can say about security in the Web2.0/Identity2.0 world. We are really just at the beginning. I hope that in the following months, I will be able to show my vision of security problems concerning Web2.0 technology.

Dick HardtDick Hardt
Looking forward to you joining the conversation! The more security related analysis we have of Identity 2.0 at this point, the better it will be.
pdppdp
happy to hear that :)
Ronald van den HeetkampRonald van den Heetkamp
This is the same as OpenID if I am not mistaken? If so, Single Signon is a terrible idea. You can't make life easier on the net. It's contradicting security. Sure it will happen, it already has. But it scares me.
pdppdp
Ronald, OpenID is not that bad idea. However, it will take some time for the majority of users to learn how to use it effectively and moreover securely. This is the main concern with OpenID, but otherwise it will be one of the best things that have happened to the Web.
RonaldRonald
No I have to disagree, it's like saying: buy this lock, it's safer. I think it's a sad fact that security just doesn't exist. It's a myth, and a bad nightmare. In the end that user will step into a snare one way or the other. Almost no one pays attention what those fools at Google are doing. They already have a single sign on, and anyone with too much free time, already knows that I can access any Google service of a user if he happens to visit my CSRF Iframe and happens to be logged in only one of them. I discovered that GMail, Adsense, Adwords, Analytics are still vulnerable to a critical degree. One cookie to rule them all, now that's a great idea. And yeah, teaching the user might be the biggest hurdle. Phishing will never stop because of the fact that you have to think like a conman in order not to be conned. Hence, that's why people still fall for those Nigerian money letter fools.
pdppdp
Ronald, no you are absolutely right, but single sign on mechanisms solve a huge problem. With the advances in Web2.0 technology it makes no sense to register for each service out there. It is ridiculous. Imagine that you have to type separate username/password for every application you use on your desktop. So yes, although identity centric system can be hacked, and I doubt that we ever going to find the right balance, there are a lot better then what we have at the moment, which is a total chaos.
RonaldRonald
Yeah, I always wonder what we try to solve here. OpenID only solves the strain of memorizing multiple passwords. But it doesn't solve a security issue, it might even weaken it. What if the sysadmin of OpenID has a password like this: qwerty123. Okay maybe not, but maybe he has it stored inside his GMail account, or uses the same pass for a forum.
pdppdp
sure, you are right. But when we use OpenID then we can afford to secure it as much as possible. I don't mind using keyfobs in this case. Two factor authentication with one-time password is considered pretty secure authentication mechanism. However, without OpenID we cannot even start thinking using this for every site out there. It makes no sense. What I would like to suggest is the following: Let's stick to OpenID but we need to add some enhancements to the browser. For example, the browse detects when we use OpenID for the sites we visit and automatically forces HTTPS. If HTTPS is not available then it just gives up with 404 message or whatever. Now, this won't prevent XSS or CSRF but it is a good start. Put the one-time password thing on the top and we have a system that scales well and it is a lot more secure then what we have today.
RonaldRonald
Yes that is true. In the end the internet was never designed to perform the stuff everyone demands. Even authentication and identification schemes were only designed for accessing certain restricted areas on a server. So basically we try to let this oldsmobile (the net) perform a F1 Grand prix. And I figured we need to build a new racecar. Or quit joining a grand prix and go back to plain text.
pdppdp
yes, but plain text is not cool so we are stuck with the oldsmobile. :) maybe we can compete on F1 Grand prix but let's make it at least convertible.
RonaldRonald
haha yes you beat me there. ^^