OpenID Provides A Better Security Model

Mon, 24 Mar 2008 11:23:20 GMT
by pdp

I couple of posts back I've started a conversation on what OpenID is and why it could turn a bit insecure. You can read more about this over here, here and here. Today, I would like to draw your attention on why I believe that OpenID based authentication is a lot more more secure then the dispersed, decentralized, authentication model we use today.

This post is inspired by a recent discussion on Full-Disclosure which I vividly took part in, supporting OpenID. My sole purpose is to summarize what I have said for future reference and for the convenience of everybody who is interested. Therefore, let me start with a bit of introduction and then follow up with some of the main points of my argument.

First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It may not be clear whether this setup is more secure from what we have at the moment (every site forces you to register an unique username/password pair), because it all depends on on the user's intentions and how he plans to use his OpenID account, but undoubtfully it is more convenient.

Let's see how convenience works well with security when it comes to OpenID:

Yes, and convenience is often the enemy of security.

Not always. I think complexity is the enemy of security. The simpler the system is, the less chance to screw up, the more secure it is. It is much easier to secure a single port then a class B network, don't you think?

OpenID proves to be quite simplistic by nature. The actual OpenID authentication process is not simple at all but once properly implemented it provides a very simple mechanism to identify users without the need to worry about password recovery mechanisms, account lockout, account lockout as a denial of service attack, user management, password complexity policies, secure authentication and authorization, etc. All this is handled by OpenID. Indeed, with a few lines of PHP or any other language, anyone can now implement a secure login without the hustle.

The more you share the higher the chances for a leak to occur.

Here is an interesting and quite valid comment:

However, with OpenID, all I have to do is figure out how to capture your credentials (which does not require that I compromise OpenID), and I can own everything that you own. At least with the disparate systems we have now you only get those things where I've been foolish enough to use the same credentials. Even then you have to figure out what those systems are. With OpenID I simply try every site that uses OpenID, trivial to do programmatically.

The more you share your secrets - credit card information, usernames, passwords - the higher the chances this information to be leaked or get stolen. We've proved times and times again that people do reuse passwords. Password reuse is a huge problem and it is due to our inefficiency of memorizing partial information which is not associated with anything substantial. In psychology this is known as the process of anchoring and if you master how to anchor then you can master memorizing large sets of useless data without getting corrupted sectors in your brain. :) A good start to learn how to do that is to start reading Darren Brown's book Trick of the Mind.

On another note, capturing OpenID credentials may be not as easy as it seems. First of all if the OpenID provider has a valid, authorized SSL certificate attackers won't be able to see when credentials are flaying around. One-time passwords in terms of keyfobs, rsa tokens, whatever, are good mechanism to prevent sniffing attacks. Even if the attacker captures these credentials he/she wont be able to use them again. It is also worth mentioning that carrying one keyfob just for your OpenID provider is a lot easer then having what they call "keyfob necklace" in order to ensure a good security for every single site/system you visit.

Second, lets say that the attacker has access to the machine or the network and he/she can sniff the cookies and as such get access to the OpenID account. Well, some OpenID providers have features where you can configure the account to automatically destroy the session cookie once an OpenID authentication is authorized. The attacker best chance is to sniff or attack the sites where the user is logging into with OpenID but any problems associated with external systems are not problems within OpenID and they will work independently from the authorization/identification mechanism that is supported.

Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through PayPal as you are not sharing your credit card information with everyone else but a single provider. Do you feel comfortable giving away your credit card details to every single merchant from which you want to purchase some goods? I don't!

Trusting the OpenID provider.

If you are not happy or you don't trust any of the available OpenID providers, roll your own OpenID service. It takes 5 minutes and a couple of lines with PHP and you can make it as secure as you want. Isn't that much better then trusting every single login prompt you see?

If your OpenID account is hacked, the attacker will be able to login as you anywhere they want.

That is a huge disadvantage! However, you can spend good time securing your OpenID to the extend it is not feasible for someone to attack it. We know that all encryption mechanisms are vulnerable to brute force attacks but is it feasible to crack them? No, not at all. Not now! Maybe when we get to personal quantum computing we might have a chance but by that time we will switch to quantum based cryptography.

There you go! These arguments may not be enough to entirely cover the security considerations when it comes to OpenID, but I think that they are more then enough to make you try the system and come up with your own conclusions.

Archived Comments

I think its similar to what a lot software troubles. Its the idea to process data trought one (more or less) secure point. Same goes, for example, in input validation. Basicaly its a good idea to have one function that does it for all data a application gets from the user. But on the other side, what if that single point breaks? Then eveything is f'ked up. I see it as some sort of monopol. If everyone uses the same way, everyone is affected by one break. IF the monopol is working, there is no problem.. IF Microsoft would make secure software, we wouldn't have the problems we have today. I think the idea behind OpenID is good in Theory. But in Reality, it shatters with the same reason MS shatters. It is NOT secure. There WILL be flaws. And since everyone uses the same...everyone will be attackeable the same way. Diversity may lead to a lot different ways to secure things, and i think lots of those actualy arn't designed good. But if one of those breaks, none else is affected. Unfortunately, we tend to go into a monoplized software biosphere. Thats not only MS. Its the same with wordpress, phpBB and a lot other software. What we seen recently with those mass-hacks, is exactly this problem. Its ONE software that has ONE flaw. And it makes almost everyone vulnerable since everyone uses it. Another thing is, that most ways to secure a software uses the same way even if the software isn't the same. Even if phpBB and wordpress use different cookie names, they basicaly verify it the same way. So actualy we already HAVE a monopolized Biosphere. And therefore we can just move on to OpenID, since those people work on it do focus on the security only. So my personal conclusion is, we SHOULD move on to OpenID. But we too have to REALY be carefull, since it WILL break. And when that happens its back to the application admins to clean up. As usual. Its always the admins who run in case something happens. We never can rest. Always bee carefull, and don't relly on the software. Software can't fix a unfixable problem. As long the Internet works as it does today, there is no way to prevent such things happen. And I dont think its too bad... another solution (just a example) would be to give every Internet-User a Key-card and a card-reader, only allow those verified into the Net...and I dont want that. It would maybe fix the technical vulnerablilities, but would open a HUGE door for social/governemental abusage. In the end, i run. Fix my server, fix the Clients computers at work and in my circle of friends.. But on the other side... its what gets me my monthly paycheck or a beer and dinner at friends home. So why complain.
Sam AlexanderSam Alexander
OpenID is allowing pretty awesome innovations from companies that want to focus on authentication security. For instance,
Sam HaslerSam Hasler
Having your OpenID account breached may be more catastrophic for the individual affected as it takes all the guesswork out of what sites you use for the attacker, but I think it will happen less frequently as time goes on because of the way OpenID decouples the identification away from identity consumer sites. Previously if there was a weakness in the login process of software used on many websites it would have been some time before they were all updated with any fix. Now with OpenID providers reputation dependent on how well they are secured it will be in their interest to respond to any security weakness (real or perceived) as quickly as possible. Of course many people will host their own OpenID provider but I'd still argue that the number of installations that have to be updated is reduced by an order of magnitude. There will still be the problem of individual sites getting hacked, but as long as they aren't OpenID providers then it won't spread to any other sites because there won't be any passwords to steal. And if an OpenID provider were to get hacked, well we may be putting all our eggs in one basket - collectively a smaller set of baskets - but (if you'll excuse me mixing metaphors) previously the security of our password was only as secure as the weakest link in the chain - the least secure site you used - whereas now at least we can start to make better decisions about what level of security we are comfortable with for our identity, and make sure those baskets are lead lined and bullet proof.
Sam, that was a very extensive comment and I agree with you. We have to give OpenID a shot although it could fail for some cases. But all big boys are heading off towards OpenID so I don't think that they haven't spend good amount of money to consider all the risks.
Benjamin StoverBenjamin Stover
"If your OpenID account is hacked, the attacker will be able to login as you anywhere they want." In a way, this is already the case. We have single sign-on today: email. An attacker can focus on getting the credentials for your email address, search through your inbox for services you have, and go to those services asking for a password reset.
Interesting and even decent points, but my main concern continues to be that OpenID as implemented today remains trivially compromisable. Phishing, pharming, man-in-the-middle attacks are all feasible without any heavyweight client compromise (keyloggers or local trojans). I believe to pdp's post that the big boys have signed on as OPs, but not RPs because they realize they can't yet rely on the authentication from other OPs. Of course, they also have business reasons as well, but they do validly point to the security situation as to why they are only doing OpenID in one direction. Vidoop is cute, but the "click pictures" thing has been done to death before and is just as weak as it has always been. Consolidating all my logins to one site is exactly what I want, but I'm not creating a "single keys to the castle" situation without a MUCH stronger security mechanism in place. I love where OpenID, iCards, OpenSocial, etc. are all going, but they all are hindered by a truly secure implementation. Soon as someone offers me one, I'm all over it.
OpenID is the beginning of open information sharing, which is exciting to see. One login for all sites would be more than wonderful, talk about a world wide identity. My only problem is OpenID makes you login with a URL, not really fond of this. There are other solutions, like Aliixer's LoginShare for example, I think a more secure method.