JimmyRidge

openid

32 posts in this topic

just ran into this today when i created an account on beta.legaltorrents.com instead of filling out username email/ and email confirmation. seems some sites are giving an openid option, just enter in one url or something i dunno but i'm gonna try it out today http://openid.net/ http://openid.net/where/ shows a lot of neat sites

0

Share this post


Link to post
Share on other sites

Single Sign On: so the crackers only have to break into one account!

I suppose it's better than using your pet's name, or a123456, as your password, though.

0

Share this post


Link to post
Share on other sites

big exploitable system and is vulernable to phishing attacks among other security issues. is that good enough for you :) even though launchpad is gonna start being a provider for it I m not gonna even activate my beta for it

0

Share this post


Link to post
Share on other sites

not to mention an attacker only authenticates once and all the sites that your ID matches, are theirs based on the cookie in their browser.

Edited by Alk3
0

Share this post


Link to post
Share on other sites

I'm a fan of roboform when it comes to password management/form filling.

0

Share this post


Link to post
Share on other sites
I'm a fan of roboform when it comes to password management/form filling.

KeePass ftw

0

Share this post


Link to post
Share on other sites

A single site with poor security or a single cleartext login on wifi and everything is lost. Sounds like a good deal.

Edit: Then again, using the same username/password on multiple sites (which I'm sure we're all guilty of) is not much more secure. At least they have to find the accounts first though.

Edited by Ohm
0

Share this post


Link to post
Share on other sites
Single Sign On: so the crackers only have to break into one account!

I suppose it's better than using your pet's name, or a123456, as your password, though.

HaHa ... Very true..

This will only lead to people who are not legit to hoard the ID's to people whom arent quick enough to adopt. A very poor idea in security for sure.

0

Share this post


Link to post
Share on other sites

Interestingly enough, this month's issue of Linux Journal magazine has an article on the basics of OpenID. Based solely on this thread, I would never have given it a second look. However, it seems as though you guys have made a bunch of invalid assumptions. Allow me to elucidate. :)

OpenID is *not* something that keeps you "signed on" and lets any website that has it enabled automatically know who you are (I think Microsoft Passport or whatever the hell they call it these days works like this). Instead, you can think of it as one single REGISTRATION that you can use in multiple places. For each site that is OpenID compatible, you still have to log into that site. You can simply think of OpenID as a third-party authentication broker (something akin to RADIUS, for example).

Logging in simply redirects you to your OpenID provider's login screen, and you authenticate yourself to the provider. Having successfully done so, you are then returned to the original site and logged in. If at this time you visit another OpenID-enabled site, you will still have to log in there (and, thus, re-authenticate yourself with your OpenID provider).

Now obviously, using "12345" as your OpenID password is stupid... and, if guessed, will allow someone to authenticate as you on whatever sites use OpenID. But you still have to log on to each site, you still have to authenticate yourself, and you still have to allow each site to recognize your own OpenID credentials/profile before they will do it.

You can also register for multiple OpenID accounts, and use them differently on different sites. (As an example, the article author lives in Israel; he has one OpenID profile with his contact information in that country, and another profile with his US contact information.)

So... it piqued my curiosity enough to give it another look (the article author seemed to be impressed with the service overall).

0

Share this post


Link to post
Share on other sites

It does have the advantage that you can easily enough create your own provider with your own authentication means and - as long as it follows the spec - it will just work. That means that your OpenID could authenticate against your own server and part of the authentication checks are that you are using the correct browser from the correct IP address, or something along those lines. I'd like to see some cracker get into your account then... :)

0

Share this post


Link to post
Share on other sites

As mirrorshades stated you guys made a few invalid assumptions.

The system is not vulnerable as a whole piece. Instead, the security of each user would be equal to the security of the less secure site he/she uses the openID account. But in fact is a bit higher than that because the account sensitive information will be stored only in one openid provider. Of course, there are ways to break it by attacking other sites the user registered for with that account, but it wont be as 'easy' as simply braking that system.

Register in a site in which you have a very good level of trust, and then use your openid in sites that you trust. That should be as (or more) secure than using the same username/password in a bunch of popular sites.

Despite everything, i think it is positive to see advances in personal authentication management besides the old simple username/password that has many issues. I don't know if this is the way, or what the future will bring in this area, but we sure need innovations in it.

0

Share this post


Link to post
Share on other sites

In addition to the other positive comments above:

1) When you authenticate with your open ID provider, this should occur via an htttps session so sniffing will not get your password.

2) If you have a machine on the internet, you can become your own open ID server, providing you can convince the sites you wish to log into to accept your machine as valid.

The SecurityNow podcast did an episode on it a while back:

http://media.grc.com/sn/SN-111.mp3

http://media.grc.com/sn/SN-095.mp3

I did ask about this in the context of BinRev a while ago (like 9 months or so), however the comment at that time was that the admins prefered to have members join (rather than let any OpenID user post) and that it was probably too much work to implement anyhow.

It might be possible to have a member join and have the option to specify an OpenID server rather than a username/password for future logins. If someone has an idea on how to code this up, step up to the plate....

Mungewell.

Edited by mungewell
0

Share this post


Link to post
Share on other sites
I suppose it's better than using your pet's name, or a123456, as your password, though.

heh, 40 random numbers/charactors/capitals/!"£$%^&*()<>?:@~{} in ma passwords...cain that!

0

Share this post


Link to post
Share on other sites

I've read the Linux Journal article and they are just telling you how to use it really but yes it's still vul as a full piece of software that is if you are a rely

I setup a website to get the openid username and password of one site and instant access to any openid site there is. can be pretty bad if you look at it from a point of IS.

0

Share this post


Link to post
Share on other sites
I setup a website to get the openid username and password of one site and instant access to any openid site there is. can be pretty bad if you look at it from a point of IS.

I think that you are mis-understanding the way it works. The site you are logging into does not get the password, only your OpenID. It then connects the user to the OpenID server for that OpenID, which validates the user. If the user enters a correct password, the OpenID server returns a token confirming that the user is correctly identified.

It is up to the original website which decides which OpenID servers it wants to work with, they do not have to accept any old OpenID server.

Mungewell.

0

Share this post


Link to post
Share on other sites
I think that you are mis-understanding the way it works. The site you are logging into does not get the password, only your OpenID. It then connects the user to the OpenID server for that OpenID, which validates the user. If the user enters a correct password, the OpenID server returns a token confirming that the user is correctly identified.

It is up to the original website which decides which OpenID servers it wants to work with, they do not have to accept any old OpenID server.

Mungewell.

Sounds like a wide-area Kerberos..

0

Share this post


Link to post
Share on other sites
I setup a website to get the openid username and password of one site and instant access to any openid site there is. can be pretty bad if you look at it from a point of IS.

I think that you are mis-understanding the way it works. The site you are logging into does not get the password, only your OpenID. It then connects the user to the OpenID server for that OpenID, which validates the user. If the user enters a correct password, the OpenID server returns a token confirming that the user is correctly identified.

It is up to the original website which decides which OpenID servers it wants to work with, they do not have to accept any old OpenID server.

Mungewell.

I got the feeling a lot of people here are very unsure or misinformed about this topic. Thank you mungewell and mirrorshades for bringing this topic into more of a proper light. While I do believe there are some abilities to have issues with OpenID, such as expiring accounts being reused (More of a server side issue) or websites improperly handling the OpenID technology, these issues are the same with ANY authentication technology.

The big factor that is also being overlooked is that while OpenID by itself I am willing to argue is fairly secure when implemented correctly, it also is able to be implemented with two factor authentication methods, allowing you to pair this ID with a hardware authentication method if you so chose. Two big names in the corporate authentication industry have supported this movement, you should know them respectfully as Verisign and RSA.

I hope this conversation will spark many of you to further research this and understand it a bit more as this isn't the only community that is misinformed about how the technology works and where its actual vulnerabilities lie.

0

Share this post


Link to post
Share on other sites
I setup a website to get the openid username and password of one site and instant access to any openid site there is. can be pretty bad if you look at it from a point of IS.

I think that you are mis-understanding the way it works. The site you are logging into does not get the password, only your OpenID. It then connects the user to the OpenID server for that OpenID, which validates the user. If the user enters a correct password, the OpenID server returns a token confirming that the user is correctly identified.

It is up to the original website which decides which OpenID servers it wants to work with, they do not have to accept any old OpenID server.

Mungewell.

umm no I actually already checked this out and actually been in a web seminar about how bad open ID is from a well known information security expert and trust me OpenID does not return a token at all it just puts something in a cookie which I can grab off your computer easily

So I actually wish people stop saying no one is informed about how OpenID works since they themselves are ill informed on how it works

all OpenID uses it is a md5 hash from openssl for password easily crackable if someone actually wants to

so quoit telling people that they are misinformed while you are the one misinformed

Edited by kitche
0

Share this post


Link to post
Share on other sites
umm no I actually already checked this out and actually been in a web seminar about how bad open ID is from a well known information security expert and trust me OpenID does not return a token at all it just puts something in a cookie which I can grab off your computer easily

So I actually wish people stop saying no one is informed about how OpenID works since they themselves are ill informed on how it works

all OpenID uses it is a md5 hash from openssl for password easily crackable if someone actually wants to

so quoit telling people that they are misinformed while you are the one misinformed

Which seminar was it, and who was the well known information security expert?

The overall security depends on the provider. Yes, as has been mentioned, if you have a retarded password, your openid account can become compromised. However, one of the providers uses a user-specified series of images displayed on a random grid to generate a one-time password. This can't be easily cracked.

At the end of the day, it's probably not a perfect system. And indeed, if your ID is compromised, your identity on whichever sites you use it on is also compromised. But I think it's a bit simplistic to simply write it off without a more detailed look. I'm not an expert, but it looks like there are some experts who are on board. (As an example, VeriSign is one of the providers... and they tend to know a thing or two about system security.)

0

Share this post


Link to post
Share on other sites
So I actually wish people stop saying no one is informed about how OpenID works since they themselves are ill informed on how it works

Without wanting to get into a flame war, what exactly did I say that was incorrect? We're all here to discuss technology and learn new stuff, I stated that the login is actually done with the OpenID provider not the site that you are logging into (meaning that they don't get plaintext of your password).

If there is a flaw where the password (or token containing a hash of it) can be grabbed via another means then I'm sure that we'd all like to here about it. It may be that a vunerability such as this is down to other problems (such as choice of browser or OS) and is not a specific problem with OpenID.

Please educate me,

Mungewell.

PS. 'trust me' is a good phrase for selling snake oil, proof is what we want!!

0

Share this post


Link to post
Share on other sites

This is an excellent discussion thread. I have been wanting to learn more about this so I look forward to more information here...perhaps one of the openID developers might come over and shed some light.

But to readdress their use in the forums, I would not be opposed if it proves to be secure, but the other caveat is the time to implement it. I cannot commit to any more custom code in these forums right now. It makes future upgrades difficult because everything has to be re-updated and rechecked. The only way that I honestly see this happening is if either the openID group or invision software make an official supported interface or openID.

0

Share this post


Link to post
Share on other sites
This is an excellent discussion thread. I have been wanting to learn more about this so I look forward to more information here...perhaps one of the openID developers might come over and shed some light.

But to readdress their use in the forums, I would not be opposed if it proves to be secure, but the other caveat is the time to implement it. I cannot commit to any more custom code in these forums right now. It makes future upgrades difficult because everything has to be re-updated and rechecked. The only way that I honestly see this happening is if either the openID group or invision software make an official supported interface or openID.

I really don't think it proves to be specifically useful here unless people are using openID in other locations. I am a active user of OpenID and am in line for the hardware token that is in beta with verisign to work with the OpenID technology and I would love to invite some serious security research on this topic, as I believe the concept is VERY useful but maybe this community could lend a excellent debate and resource to the development community in handling these security concerns.

Edited by Zapperlink
0

Share this post


Link to post
Share on other sites

I see the potential for abuse in this technology (If I'm understanding the architecture correctly.) If one site has a malicious operator or is compromised, the credentials for all sites that use the same authentication providers can be harvested (similar to single sign-on weaknesses.) If this were to happen on a site that uses traditional authentication mechanisms, the attacker may be able to use the credentials on other sites (if they use the same credentials) but they would have to know what other sites the users are members of--with OpenID the credentials are guaranteed to be identical on other sites and the attacker may know exactly which sites are using the authentication provider in question which is why I believe implementing OpenID could be dangerous. Am I correct in making these assumptions? :boldgreen:

0

Share this post


Link to post
Share on other sites
I see the potential for abuse in this technology (If I'm understanding the architecture correctly.) If one site has a malicious operator or is compromised, the credentials for all sites that use the same authentication providers can be harvested (similar to single sign-on weaknesses.) If this were to happen on a site that uses traditional authentication mechanisms, the attacker may be able to use the credentials on other sites (if they use the same credentials) but they would have to know what other sites the users are members of--with OpenID the credentials are guaranteed to be identical on other sites and the attacker may know exactly which sites are using the authentication provider in question which is why I believe implementing OpenID could be dangerous. Am I correct in making these assumptions? :boldgreen:

Yes there is a significant risk if the OpenID server that you have entrusted with your login information were to be abused. This is a valuable part of why a trustworthy openID server must be researched and something you feel comfortable with. I think honestly this technology would be a good resource for internal systems as a bare minimum start instead of the jimmyrigged single sign on setups I have ran across.

0

Share this post


Link to post
Share on other sites
I see the potential for abuse in this technology (If I'm understanding the architecture correctly.) If one site has a malicious operator or is compromised, the credentials for all sites that use the same authentication providers can be harvested (similar to single sign-on weaknesses.) If this were to happen on a site that uses traditional authentication mechanisms, the attacker may be able to use the credentials on other sites (if they use the same credentials) but they would have to know what other sites the users are members of--with OpenID the credentials are guaranteed to be identical on other sites and the attacker may know exactly which sites are using the authentication provider in question which is why I believe implementing OpenID could be dangerous. Am I correct in making these assumptions?

If I'm reading you correctly, it sounds like you're not quite there. You're asking if a site that uses OpenID for authentication gets compromised, does that mean that any OpenIDs on that site have been compromised... am I correct?

If that is your question, then no... because the individual sites that use OpenID never have access to the authentication info. They simply hand off the transaction to a provider, who then returns effectively a "yes, this seems to be who he says he is" or "no, he's a HACKER! lolol". The site itself never has access to any usernames, passwords, or any other information used for the user authentication process.

As zapperlink stated, though, if one of the *providers* were to become compromised, it would be of greater concern. You can, however, effectively transfer your OpenID between providers while still keeping the same ID (by using a custom URL as your identifier instead of the URL specified by the provider). If you do it this way, then you can simply register on another OpenID site and update your page to point to the new server.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now