FYI, DotNetOpenAuth performs CRL checks regardless of profile if the web.config file is set correctly. All the samples DNOA ships with have this turned on by default. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre We're hiring! My team at Microsoft has 7 open slots. http://bit.ly/fZBVUo
On Thu, Mar 24, 2011 at 10:19 AM, John Bradley <[email protected]> wrote: > The obvious vulnerability would be an attacker that knew some number of > openId at a given RP, by spoofing DNS and SSL they could cain access to > those accounts by setting up a Rogue IdP with the fraudulent SSL cert. > > This requires a DNS or routing venerability at the RP to be successful. > > Not an easy attack. > > However no attack is good. > > For the FICAM openID profile we required OCSP or CRL checking for RP to > mitigate this risk. > > John B. > > On 2011-03-24, at 1:08 PM, Mike Hanson wrote: > > Thanks for the clarification, Phillip. > > m > > On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote: > > No login servers were affected. > > Several domains on which the servers are deployed were affected but not the > login servers. > > > > On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <[email protected]> wrote: > >> Comodo has posted a detail incident report here: >> http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html >> >> Several login servers were affected. >> >> -MH >> >> >> On Mar 24, 2011, at 7:09 AM, John Bradley wrote: >> >> > >> > >> > >> http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular >> > >> > The browser venders blocking those certificates is nice, however there >> are attacks on RP that could be done with those certificates that are still >> open. >> > >> > In testing something like 0% of RP check OCSP or CRL, the libs don't >> force openSSL to so those checks (I think DNOA will do them in FICAM mode) >> > >> > So perhaps encouraging people to perform those checks would be a good >> idea. >> > >> > We can only hope that none of the 9 certificates cover openID OP, >> otherwise user accounts at RP could theoretically be compromised. >> > >> > John B. >> > >> > >> > _______________________________________________ >> > security mailing list >> > [email protected] >> > http://lists.openid.net/mailman/listinfo/openid-security >> >> _______________________________________________ >> security mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-security >> > > > > -- > Website: http://hallambaker.com/ > > > > > _______________________________________________ > security mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-security > >
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
