Thanks Andrew, I think DNOA is the only RP lib doing that. John B. On 2011-03-24, at 3:27 PM, Andrew Arnott wrote:
> FYI, DotNetOpenAuth performs CRL checks regardless of profile if the > web.config file is set correctly. All the samples DNOA ships with have this > turned on by default. > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > We're hiring! My team at Microsoft has 7 open slots. http://bit.ly/fZBVUo > > > > On Thu, Mar 24, 2011 at 10:19 AM, John Bradley <[email protected]> wrote: > The obvious vulnerability would be an attacker that knew some number of > openId at a given RP, by spoofing DNS and SSL they could cain access to > those accounts by setting up a Rogue IdP with the fraudulent SSL cert. > > This requires a DNS or routing venerability at the RP to be successful. > > Not an easy attack. > > However no attack is good. > > For the FICAM openID profile we required OCSP or CRL checking for RP to > mitigate this risk. > > John B. > > On 2011-03-24, at 1:08 PM, Mike Hanson wrote: > >> Thanks for the clarification, Phillip. >> >> m >> >> On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote: >> >>> No login servers were affected. >>> >>> Several domains on which the servers are deployed were affected but not the >>> login servers. >>> >>> >>> >>> On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <[email protected]> wrote: >>> Comodo has posted a detail incident report here: >>> http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html >>> >>> Several login servers were affected. >>> >>> -MH >>> >>> >>> On Mar 24, 2011, at 7:09 AM, John Bradley wrote: >>> >>> > >>> > >>> > http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular >>> > >>> > The browser venders blocking those certificates is nice, however there >>> > are attacks on RP that could be done with those certificates that are >>> > still open. >>> > >>> > In testing something like 0% of RP check OCSP or CRL, the libs don't >>> > force openSSL to so those checks (I think DNOA will do them in FICAM mode) >>> > >>> > So perhaps encouraging people to perform those checks would be a good >>> > idea. >>> > >>> > We can only hope that none of the 9 certificates cover openID OP, >>> > otherwise user accounts at RP could theoretically be compromised. >>> > >>> > John B. >>> > >>> > >>> > _______________________________________________ >>> > security mailing list >>> > [email protected] >>> > http://lists.openid.net/mailman/listinfo/openid-security >>> >>> _______________________________________________ >>> security mailing list >>> [email protected] >>> http://lists.openid.net/mailman/listinfo/openid-security >>> >>> >>> >>> -- >>> Website: http://hallambaker.com/ >>> >> > > > _______________________________________________ > security mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-security > >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
