Re: [Full-disclosure] OpenID. The future of authentication on the web?
Hey Paul, some valid points indeed but let me inline some of my thoughts. read on. On Sun, Mar 23, 2008 at 10:37 PM, Paul Schmehl [EMAIL PROTECTED] wrote: --On March 23, 2008 2:52:53 PM + Petko D. Petkov [EMAIL PROTECTED] wrote: First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. Yes, and convenience is often the enemy of security. Not always. I think complexity is the enemy of security. The simpler the system is the less chance to screw up, the more secure it is. It is much easier to secure a single port then a class B network, don't you think? The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. However, with OpenID, all I have to do is figure out how to capture your credentials (which does not require that I compromise OpenID), and I can own everything that you own. At least with the disparate systems we have now you only get those things where I've been foolish enough to use the same credentials. Even then you have to figure out what those systems are. With OpenID I simply try every site that uses OpenID, trivial to do programmatically. Paul, you are right but here are my arguments: First of all, we've proved time and time again that people do reuse passwords. Password reuse is a huge problem and it is due to our inefficiency of memorizing partial information which is not associated with anything substrantial. In psychology this is known as the process of anchoring and if you master how to anchor then you can master memorizing large sets of useless data without getting corrupted sectors in your brain. A good start is reading Darren Brown's book Trick of the Mind. On another note, capturing my OpenID credentials wouldn't be as easy as you say. First of all if the OpenID provider has a valid, authorized SSL certificate you won't be even able to see when creds are flaying around. Second, I've mentioned one-time passwords in terms of keyfobs, rsa tokens, whatever. Even if you capture these credentials you wont be able to use them and believe me, carrying one keyfob just for your OpenID provider is a lot easer then having what they call keyfob necklace in order to ensure a good security for every single site you visit. I think that verisign provides OpenID service which is based on all that. Last but not least, lets say that you have access to the machine or network and you can sniff the cookies and as such get access to the openid account. Well, some OpenID providers have features where you can configure the account to automatically destroy the session cookie once an OpenID authentication is authorized. Your best chance is to sniff or attack the sites where the user is logging into but any problems associated with them are not problems withing OpenID and they will work independently of the authorization/identification mechanism. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. There's a reason I don't use Paypal.. Well, PayPal is a lot more secure when it comes to money transfers/transactions. Do you feel comfortable giving away your credit card details to every single merchant from which you want to purchase some goods. I don't! I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. The problem is, I have to trust the OpenID provide to both secure his/her systems and hire trustworthy help. I have to do the same locally, but I have a great deal more control and ability to monitor. Well, roll your own OpenID service. It takes 5 minutes and a couple of lines with PHP and you can make it as secure as you want.Isn't that much better then trusting every single login prompt you see? Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. And that is a *huge* disadvantage. true but as I mentioned above and in my previous email, you can spend good time securing your OpenID to the extend it is not feasible for
Re: [Full-disclosure] OpenID. The future of authentication on the web?
deer reepex, every single time. :) yet another prove that you are troll. why don't you come up with something constructive for a change? the email thread reads OpenID. The future of authentication on the web? not how to troll full-disclosure, reepex style. FYI, do you research and show examples next time before pointing fingers. as you can see yours and your friends' useless comments did not got moderated out. And yes the blogsphere is gigantic and it has many useful, troll free blogs that provide good information resources and discussion grounds for everybody, even you. Kind Regards, pdp On Sun, Mar 23, 2008 at 10:33 PM, reepex [EMAIL PROTECTED] wrote: thats right pdp - go run to your protected lists and blogs where you don't have to hear anything negative and where you can flame people without contest who talk against you. you are another Bill O Reilly and everyone thinks of you as such. enjoy your sheep. On Sun, Mar 23, 2008 at 9:52 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: Hi Steven, I guess most 1337 hax0rs will flame you on this list. There are good security blogs you can follow and learn from instead. Full-disclosure is for rants and bashing only! I can point you to some articles that I wrote regarding OpenID, however, let me share my thoughts quickly as that will save you some time and of course if you are still curious you can go research further. First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. pdp P.S. dear list, the only reason I am not priv-massaging Steven is because I believe that there are other people who are interested in this topic. So, instead of wasting valuable resources and energy answering everyone individually, I've decided to do it once hoping that this message will be seen by others. Thanks! On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Petko D. Petkov wrote: As I said, if you don't trust public OpenID providers, roll your own. It is very, very, very easy. You seem to miss one point, in the current online environment you are not talking about 5 or 6 id/credentials but more like 20 to 30. (remember each blog you post to, each mailing list each web store requires its own id/credentials.) OpenID provides for the possibility to group these id's by function and select the correct provider with the safeguards you want for each group. An OpenID for money related transactions would need more safeguards as an OpenID for lets say full disclosure ;-) FG ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Indeed but this can be a subsystem, a feature of the OpenID provider. For example, some OpenID providers have the feature to choose different persons depending on the usage. So it will be easier to safeguard a persona within one openid provider. So for example, in my current OpenID setup I have two personas. One for daily use which is completely useless and one for mission critical stuff. Although the mission critical persona is not safeguarded :) (lack of functionalities here) if such a feature is implemented, wouldn't be that much better? :) On Mon, Mar 24, 2008 at 9:51 AM, Gorn [EMAIL PROTECTED] wrote: Petko D. Petkov wrote: As I said, if you don't trust public OpenID providers, roll your own. It is very, very, very easy. You seem to miss one point, in the current online environment you are not talking about 5 or 6 id/credentials but more like 20 to 30. (remember each blog you post to, each mailing list each web store requires its own id/credentials.) OpenID provides for the possibility to group these id's by function and select the correct provider with the safeguards you want for each group. An OpenID for money related transactions would need more safeguards as an OpenID for lets say full disclosure ;-) FG ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
agree :) On Mon, Mar 24, 2008 at 10:50 AM, Gorn [EMAIL PROTECTED] wrote: Petko D. Petkov wrote: Indeed but this can be a subsystem, a feature of the OpenID provider. For example, some OpenID providers have the feature to choose different persons depending on the usage. So it will be easier to safeguard a persona within one openid provider. So for example, in my current OpenID setup I have two personas. One for daily use which is completely useless and one for mission critical stuff. Although the mission critical persona is not safeguarded :) (lack of functionalities here) if such a feature is implemented, wouldn't be that much better? :) That could be, I was more hinting to the open structure of OpenID. If you don't trust a provider choose another one. Other frameworks for online authentication/autorization don't offer this flexibility, one provider only, like passport. OpenID offers the possibility to offer competing authentication services provided by different providers. So you don't have to put all your eggs in one basket. (it is easter after all) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
The correct solution, IMO, would be an encrypted password vault, stored on a USB drive and only available through the use of a password and some other form of identification (biometric, etc.) What about kiosks and other situations where it wouldn't be secure to allow arbitrary people to insert USB keys? This vault requires a support system of some kind; does there need to be software on the system to read it? Do you trust that software? And even encryption solution have their problems as the key recovery from ram paper has shown... If we use public/private keys with SSH, why not use it with more services, like web ones ? :) Keys owners would have the responsability to manage their keys (password recovery procedures substituted by key procedures) and their passwords... Of course it would take a long time to deploy and teach the general public about it, but isn't that what security pros are trying to do for a long time ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Let's put it this way, It is easy to prevent phishing attacks against OpenID on the client-side with browser extensions. In fact, I think that Firefox will make this feature a default in their upcoming versions. It could work exactly the same as the current trusted certificate authorities every single web browser comes with. You will have a list of trusted OpenID providers domains which are also cross-matched with their SSL certificates and URLs. Done! If firefox is not planning to implement this feature, heck I will code it myself. This is a hello world XUL extension. pdp On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick [EMAIL PROTECTED] wrote: Many of you have brought up that OpenID is vulnerable to phishing and have highlighted weaknesses specific traditional username/password authentication. This was the main reason I bought up Information Cards in my original post. I've noticed that Beemba (http://www.beemba.com) and MyOpenID (http://www.myopenid.com) have both implemented Information Cards as an authentication option. Good idea? It seems to me that if you were to rely on Information Cards as opposed to username/password the phishing angle is mitigated. Is this not the case? -sr Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Let's be realistic here. It's not about the technical feasibility, it's about an open standard people trust and have bought into. This is what Information Cards are in my mind, much the same as OpenID. Sure you could go out and create an extension to serve the same purpose in your own way, but who would trust it? I mean PDP is known for javascript port scanning via XSS (i know you've done more but...), not authentication. My point is simple. With OpenID + Information Cards much of the security concerns/weaknesses (phishing, passwords theft/loss) around OpenID as a protocol are addressed. Sure you still have to trust the provider (or write your own), but the implementation can be secure, open and publically accessible using currently available and supported web technologies. Beemba and MyOpenID currently do this. BTW, Firefox 3 will have support for Information Cards by default and an extension is available for Firefox 2 at Codeplex. -sr On Mon, Mar 24, 2008 at 5:25 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: Let's put it this way, It is easy to prevent phishing attacks against OpenID on the client-side with browser extensions. In fact, I think that Firefox will make this feature a default in their upcoming versions. It could work exactly the same as the current trusted certificate authorities every single web browser comes with. You will have a list of trusted OpenID providers domains which are also cross-matched with their SSL certificates and URLs. Done! If firefox is not planning to implement this feature, heck I will code it myself. This is a hello world XUL extension. pdp On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick [EMAIL PROTECTED] wrote: Many of you have brought up that OpenID is vulnerable to phishing and have highlighted weaknesses specific traditional username/password authentication. This was the main reason I bought up Information Cards in my original post. I've noticed that Beemba (http://www.beemba.com) and MyOpenID (http://www.myopenid.com) have both implemented Information Cards as an authentication option. Good idea? It seems to me that if you were to rely on Information Cards as opposed to username/password the phishing angle is mitigated. Is this not the case? -sr Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
I would disagree. One could simply create a template password and then salt it with some acronym for the site in question. For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they are accessing. Still need only one password to remember and you don't necessarily have a single point of 0wnership anymore. On Sun, Mar 23, 2008 at 7:04 PM, Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they are accessing. Still need only one password to remember and you don't necessarily have a single point of 0wnership anymore. I've never understood this strategy. Once I compromise your S0m3p4ss!ama password for amazon.com how long will it take me to figure out all your others? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ http://blogs.pcmag.com/securitywatch/ http://blogs.pcmag.com/securitywatch/Contributing Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
For the automated low-hanging fruit attacks, they won't crack. They're simply trawling for passwords and rarely do they even think to cross-check. For someone to spend the kind of thought and attention the victim has to be specifically targetted. Now, to be fair, I only advocate that strategy for throwaway accounts. For instance, I don't really care if my account on digg gets cracked, I do care if my bank account gets cracked. So I use the throwaway for digg (or other sites that just don't matter if they are compromised) and something secure and unique for the banks and other important stuff. The alternative is that someone uses the same password for EVERYTHING, crack some forum and you've got bank account passwords too. Long winded, but I'm not sure much OpenID would provide authentication for I'd care about (admittedly I haven't looked in detail). On Mon, Mar 24, 2008 at 9:58 AM, Larry Seltzer [EMAIL PROTECTED] wrote: For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they are accessing. Still need only one password to remember and you don't necessarily have a single point of 0wnership anymore. I've never understood this strategy. Once I compromise your S0m3p4ss!ama password for amazon.com how long will it take me to figure out all your others? Larry Seltzer eWEEK.com Security Center Editor *http://security.eweek.com/* http://security.eweek.com/ ** http://blogs.pcmag.com/securitywatch/* http://blogs.pcmag.com/securitywatch/http://blogs.pcmag.com/securitywatch/Contributing * Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On Monday, March 24, 2008 09:13:38 + Petko D. Petkov [EMAIL PROTECTED] wrote: Yes, and convenience is often the enemy of security. Not always. I think complexity is the enemy of security. The simpler the system is the less chance to screw up, the more secure it is. It is much easier to secure a single port then a class B network, don't you think? Of course. Both complexity *and* convenience of often the enemies of security. :-) First of all, we've proved time and time again that people do reuse passwords. Password reuse is a huge problem and it is due to our inefficiency of memorizing partial information which is not associated with anything substrantial. In psychology this is known as the process of anchoring and if you master how to anchor then you can master memorizing large sets of useless data without getting corrupted sectors in your brain. A good start is reading Darren Brown's book Trick of the Mind. I don't disagree. On another note, capturing my OpenID credentials wouldn't be as easy as you say. First of all if the OpenID provider has a valid, authorized SSL certificate you won't be even able to see when creds are flaying around. Second, I've mentioned one-time passwords in terms of keyfobs, rsa tokens, whatever. Even if you capture these credentials you wont be able to use them and believe me, carrying one keyfob just for your OpenID provider is a lot easer then having what they call keyfob necklace in order to ensure a good security for every single site you visit. I think that verisign provides OpenID service which is based on all that. Verisign *requires* only alpha-numeric characters for my password for my *CA ADMIN* account for our PKI system. That should tell you something aobut their dedication to security. Last but not least, lets say that you have access to the machine or network and you can sniff the cookies and as such get access to the openid account. Well, some OpenID providers have features where you can configure the account to automatically destroy the session cookie once an OpenID authentication is authorized. Your best chance is to sniff or attack the sites where the user is logging into but any problems associated with them are not problems withing OpenID and they will work independently of the authorization/identification mechanism. Getting access inside networks these days is trivial. There are hundreds and hundreds of compromised machines inside of corporate networks due to phishing scams and the ignorance of the average user. Furthermore, you can get access to at least 10% of the machines on any network simply by logging in as administrator or root (pick your OS) using either blank, password or root/administrator as the password. Add to that hundreds of trivial sql injection attacks and other easy attacks, and most networks are like swiss cheese. Once you're on one box inside, you can roam around freely and find a way to capture id information in the clear. Well, PayPal is a lot more secure when it comes to money transfers/transactions. Do you feel comfortable giving away your credit card details to every single merchant from which you want to purchase some goods. I don't! You frame the question wrong. The real question is, do I feel comfortable exposing $50 to risk by using a credit card or exposing every dollar I've deposited with Paypal to risk. And the $50 is waived if the vendor is culpable for the loss. I scanned a card through a gas pump while on a vacation trip last year. WIthin two hours someone had charged $1005 on that card. It cost me nothing. The charges were reversed, because it was clearly fraud. (I was in South Carolina - timestamped just two hours before - the charge was in El Paso.) The credit card industry is quite robust and equipped to handle fraud. What happens when an OpenID account is compromised and *every* account is drained and thousands of dollars are charged and *according to OpenID* it was me? Well, roll your own OpenID service. It takes 5 minutes and a couple of lines with PHP and you can make it as secure as you want.Isn't that much better then trusting every single login prompt you see? No, it's not, because a poorly secured site exposes only that data I have revealed to them. OpenID opens a whole new realm of theft. But don't take my word for it. Just wait for the first big scam to occur. First I phish your credentials. Or I induce you into installing a trojan on your box. Then I get your OpenID username and password. Now I have everything. It *will* happen. true but as I mentioned above and in my previous email, you can spend good time securing your OpenID to the extend it is not feasible for someone to attack it. We know that all encryption mechanisms are vulnerable to brute force attacks but is it feasible to crack them? No, not at all. Not now! Maybe when we get to personal quantum computing we might have a chance but by
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Well in my case it's easy... how many people do you know named John Bambenek (my father doesn't count)? :) I was just speaking about passwords in that case, presumably people can remember their email addresses. On Mon, Mar 24, 2008 at 10:17 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: what about usernames? you still need to keep track of your usernames since sometimes your preferred username is either taken or not possible or you need to login via email or any other peculiarity the site supports. On Mon, Mar 24, 2008 at 2:43 PM, John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] wrote: I would disagree. One could simply create a template password and then salt it with some acronym for the site in question. For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they are accessing. Still need only one password to remember and you don't necessarily have a single point of 0wnership anymore. On Sun, Mar 23, 2008 at 7:04 PM, Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
on your last comment, OpenID is exactly design for that! To give the power back to the user! On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl [EMAIL PROTECTED] wrote: --On Monday, March 24, 2008 09:13:38 + Petko D. Petkov [EMAIL PROTECTED] wrote: Yes, and convenience is often the enemy of security. Not always. I think complexity is the enemy of security. The simpler the system is the less chance to screw up, the more secure it is. It is much easier to secure a single port then a class B network, don't you think? Of course. Both complexity *and* convenience of often the enemies of security. :-) First of all, we've proved time and time again that people do reuse passwords. Password reuse is a huge problem and it is due to our inefficiency of memorizing partial information which is not associated with anything substrantial. In psychology this is known as the process of anchoring and if you master how to anchor then you can master memorizing large sets of useless data without getting corrupted sectors in your brain. A good start is reading Darren Brown's book Trick of the Mind. I don't disagree. On another note, capturing my OpenID credentials wouldn't be as easy as you say. First of all if the OpenID provider has a valid, authorized SSL certificate you won't be even able to see when creds are flaying around. Second, I've mentioned one-time passwords in terms of keyfobs, rsa tokens, whatever. Even if you capture these credentials you wont be able to use them and believe me, carrying one keyfob just for your OpenID provider is a lot easer then having what they call keyfob necklace in order to ensure a good security for every single site you visit. I think that verisign provides OpenID service which is based on all that. Verisign *requires* only alpha-numeric characters for my password for my *CA ADMIN* account for our PKI system. That should tell you something aobut their dedication to security. Last but not least, lets say that you have access to the machine or network and you can sniff the cookies and as such get access to the openid account. Well, some OpenID providers have features where you can configure the account to automatically destroy the session cookie once an OpenID authentication is authorized. Your best chance is to sniff or attack the sites where the user is logging into but any problems associated with them are not problems withing OpenID and they will work independently of the authorization/identification mechanism. Getting access inside networks these days is trivial. There are hundreds and hundreds of compromised machines inside of corporate networks due to phishing scams and the ignorance of the average user. Furthermore, you can get access to at least 10% of the machines on any network simply by logging in as administrator or root (pick your OS) using either blank, password or root/administrator as the password. Add to that hundreds of trivial sql injection attacks and other easy attacks, and most networks are like swiss cheese. Once you're on one box inside, you can roam around freely and find a way to capture id information in the clear. Well, PayPal is a lot more secure when it comes to money transfers/transactions. Do you feel comfortable giving away your credit card details to every single merchant from which you want to purchase some goods. I don't! You frame the question wrong. The real question is, do I feel comfortable exposing $50 to risk by using a credit card or exposing every dollar I've deposited with Paypal to risk. And the $50 is waived if the vendor is culpable for the loss. I scanned a card through a gas pump while on a vacation trip last year. WIthin two hours someone had charged $1005 on that card. It cost me nothing. The charges were reversed, because it was clearly fraud. (I was in South Carolina - timestamped just two hours before - the charge was in El Paso.) The credit card industry is quite robust and equipped to handle fraud. What happens when an OpenID account is compromised and *every* account is drained and thousands of dollars are charged and *according to OpenID* it was me? Well, roll your own OpenID service. It takes 5 minutes and a couple of lines with PHP and you can make it as secure as you want.Isn't that much better then trusting every single login prompt you see? No, it's not, because a poorly secured site exposes only that data I have revealed to them. OpenID opens a whole new realm of theft. But don't take my word for it. Just wait for the first big scam to occur. First I phish your credentials. Or I induce you into installing a trojan on your box. Then I get your OpenID username and password. Now I have everything. It *will* happen. true but as I mentioned above and in my
Re: [Full-disclosure] OpenID. The future of authentication on the web?
I'm not saying OpenID is more convenient and has benefits... I was just saying there are conventions to make passwords unique per-site. So if you don't mind getting past the single point of 0wnership, then OpenID is good to go. Me, I don't trust technology. On Mon, Mar 24, 2008 at 10:27 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: as I said, some websites ask you for a username regardless whether that will be an email address. and unfortunately a username is not unique through out the Web. which means that if your username is john-bambenek on one system it could be completely different on another system due the fact that some vendors don't like the - or they don't like the length or they ask you to have a number in the username or even they provide you with such. So keeping track of usernames is as hard as keeping track of passwords. Put them all together and then you will experience the pain. On the other hand OpenID provides you with a unique ID. Only you can use it on every system without the need to worry. On Mon, Mar 24, 2008 at 3:22 PM, John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] wrote: Well in my case it's easy... how many people do you know named John Bambenek (my father doesn't count)? :) I was just speaking about passwords in that case, presumably people can remember their email addresses. On Mon, Mar 24, 2008 at 10:17 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: what about usernames? you still need to keep track of your usernames since sometimes your preferred username is either taken or not possible or you need to login via email or any other peculiarity the site supports. On Mon, Mar 24, 2008 at 2:43 PM, John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] wrote: I would disagree. One could simply create a template password and then salt it with some acronym for the site in question. For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they are accessing. Still need only one password to remember and you don't necessarily have a single point of 0wnership anymore. On Sun, Mar 23, 2008 at 7:04 PM, Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
When it comes to IT... the user is the *last* person I want empowered. On Mon, Mar 24, 2008 at 10:21 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: on your last comment, OpenID is exactly design for that! To give the power back to the user! On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl [EMAIL PROTECTED] wrote: --On Monday, March 24, 2008 09:13:38 + Petko D. Petkov [EMAIL PROTECTED] wrote: Yes, and convenience is often the enemy of security. Not always. I think complexity is the enemy of security. The simpler the system is the less chance to screw up, the more secure it is. It is much easier to secure a single port then a class B network, don't you think? Of course. Both complexity *and* convenience of often the enemies of security. :-) First of all, we've proved time and time again that people do reuse passwords. Password reuse is a huge problem and it is due to our inefficiency of memorizing partial information which is not associated with anything substrantial. In psychology this is known as the process of anchoring and if you master how to anchor then you can master memorizing large sets of useless data without getting corrupted sectors in your brain. A good start is reading Darren Brown's book Trick of the Mind. I don't disagree. On another note, capturing my OpenID credentials wouldn't be as easy as you say. First of all if the OpenID provider has a valid, authorized SSL certificate you won't be even able to see when creds are flaying around. Second, I've mentioned one-time passwords in terms of keyfobs, rsa tokens, whatever. Even if you capture these credentials you wont be able to use them and believe me, carrying one keyfob just for your OpenID provider is a lot easer then having what they call keyfob necklace in order to ensure a good security for every single site you visit. I think that verisign provides OpenID service which is based on all that. Verisign *requires* only alpha-numeric characters for my password for my *CA ADMIN* account for our PKI system. That should tell you something aobut their dedication to security. Last but not least, lets say that you have access to the machine or network and you can sniff the cookies and as such get access to the openid account. Well, some OpenID providers have features where you can configure the account to automatically destroy the session cookie once an OpenID authentication is authorized. Your best chance is to sniff or attack the sites where the user is logging into but any problems associated with them are not problems withing OpenID and they will work independently of the authorization/identification mechanism. Getting access inside networks these days is trivial. There are hundreds and hundreds of compromised machines inside of corporate networks due to phishing scams and the ignorance of the average user. Furthermore, you can get access to at least 10% of the machines on any network simply by logging in as administrator or root (pick your OS) using either blank, password or root/administrator as the password. Add to that hundreds of trivial sql injection attacks and other easy attacks, and most networks are like swiss cheese. Once you're on one box inside, you can roam around freely and find a way to capture id information in the clear. Well, PayPal is a lot more secure when it comes to money transfers/transactions. Do you feel comfortable giving away your credit card details to every single merchant from which you want to purchase some goods. I don't! You frame the question wrong. The real question is, do I feel comfortable exposing $50 to risk by using a credit card or exposing every dollar I've deposited with Paypal to risk. And the $50 is waived if the vendor is culpable for the loss. I scanned a card through a gas pump while on a vacation trip last year. WIthin two hours someone had charged $1005 on that card. It cost me nothing. The charges were reversed, because it was clearly fraud. (I was in South Carolina - timestamped just two hours before - the charge was in El Paso.) The credit card industry is quite robust and equipped to handle fraud. What happens when an OpenID account is compromised and *every* account is drained and thousands of dollars are charged and *according to OpenID* it was me? Well, roll your own OpenID service. It takes 5 minutes and a couple of lines with PHP and you can make it as secure as you want.Isn't that much better then trusting every single login prompt you see? No, it's not, because a poorly secured site exposes only that data I have revealed to them. OpenID opens a whole new realm of theft. But don't take my word for it. Just wait
Re: [Full-disclosure] OpenID. The future of authentication on the web?
as I said, some websites ask you for a username regardless whether that will be an email address. and unfortunately a username is not unique through out the Web. which means that if your username is john-bambenek on one system it could be completely different on another system due the fact that some vendors don't like the - or they don't like the length or they ask you to have a number in the username or even they provide you with such. So keeping track of usernames is as hard as keeping track of passwords. Put them all together and then you will experience the pain. On the other hand OpenID provides you with a unique ID. Only you can use it on every system without the need to worry. On Mon, Mar 24, 2008 at 3:22 PM, John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] wrote: Well in my case it's easy... how many people do you know named John Bambenek (my father doesn't count)? :) I was just speaking about passwords in that case, presumably people can remember their email addresses. On Mon, Mar 24, 2008 at 10:17 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: what about usernames? you still need to keep track of your usernames since sometimes your preferred username is either taken or not possible or you need to login via email or any other peculiarity the site supports. On Mon, Mar 24, 2008 at 2:43 PM, John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] wrote: I would disagree. One could simply create a template password and then salt it with some acronym for the site in question. For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they are accessing. Still need only one password to remember and you don't necessarily have a single point of 0wnership anymore. On Sun, Mar 23, 2008 at 7:04 PM, Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
comments inlined On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl [EMAIL PROTECTED] wrote: --On Monday, March 24, 2008 09:13:38 + Petko D. Petkov [EMAIL PROTECTED] wrote: Yes, and convenience is often the enemy of security. Not always. I think complexity is the enemy of security. The simpler the system is the less chance to screw up, the more secure it is. It is much easier to secure a single port then a class B network, don't you think? Of course. Both complexity *and* convenience of often the enemies of security. :-) First of all, we've proved time and time again that people do reuse passwords. Password reuse is a huge problem and it is due to our inefficiency of memorizing partial information which is not associated with anything substrantial. In psychology this is known as the process of anchoring and if you master how to anchor then you can master memorizing large sets of useless data without getting corrupted sectors in your brain. A good start is reading Darren Brown's book Trick of the Mind. I don't disagree. On another note, capturing my OpenID credentials wouldn't be as easy as you say. First of all if the OpenID provider has a valid, authorized SSL certificate you won't be even able to see when creds are flaying around. Second, I've mentioned one-time passwords in terms of keyfobs, rsa tokens, whatever. Even if you capture these credentials you wont be able to use them and believe me, carrying one keyfob just for your OpenID provider is a lot easer then having what they call keyfob necklace in order to ensure a good security for every single site you visit. I think that verisign provides OpenID service which is based on all that. Verisign *requires* only alpha-numeric characters for my password for my *CA ADMIN* account for our PKI system. That should tell you something aobut their dedication to security. Last but not least, lets say that you have access to the machine or network and you can sniff the cookies and as such get access to the openid account. Well, some OpenID providers have features where you can configure the account to automatically destroy the session cookie once an OpenID authentication is authorized. Your best chance is to sniff or attack the sites where the user is logging into but any problems associated with them are not problems withing OpenID and they will work independently of the authorization/identification mechanism. Getting access inside networks these days is trivial. There are hundreds and hundreds of compromised machines inside of corporate networks due to phishing scams and the ignorance of the average user. Furthermore, you can get access to at least 10% of the machines on any network simply by logging in as administrator or root (pick your OS) using either blank, password or root/administrator as the password. Add to that hundreds of trivial sql injection attacks and other easy attacks, and most networks are like swiss cheese. Once you're on one box inside, you can roam around freely and find a way to capture id information in the clear. SSL + KeyFob (2 factor authentication) + Session destruction after authorization - I don't think that you can do anything useful with that. If the OpenID does not have any SQL Injection or other problems such as auth-bypass, it is mission impossible. And even if the site is vulnerable to some bugs that has nothing to do with OpenID. Well, PayPal is a lot more secure when it comes to money transfers/transactions. Do you feel comfortable giving away your credit card details to every single merchant from which you want to purchase some goods. I don't! You frame the question wrong. The real question is, do I feel comfortable exposing $50 to risk by using a credit card or exposing every dollar I've deposited with Paypal to risk. And the $50 is waived if the vendor is culpable for the loss. I scanned a card through a gas pump while on a vacation trip last year. WIthin two hours someone had charged $1005 on that card. It cost me nothing. The charges were reversed, because it was clearly fraud. (I was in South Carolina - timestamped just two hours before - the charge was in El Paso.) The credit card industry is quite robust and equipped to handle fraud. What happens when an OpenID account is compromised and *every* account is drained and thousands of dollars are charged and *according to OpenID* it was me? Paul, that's cool. You are covered. :) What about the inconvenience? What if someone withdraws all your funds right at the end of the month you have no money for a couple of days. You know that it takes time to detect fraud and there are all sorts of complications around that. Well, roll your own OpenID service. It takes 5 minutes and a couple of lines with PHP and you can make it as secure as
Re: [Full-disclosure] OpenID. The future of authentication on the web?
what about usernames? you still need to keep track of your usernames since sometimes your preferred username is either taken or not possible or you need to login via email or any other peculiarity the site supports. On Mon, Mar 24, 2008 at 2:43 PM, John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] wrote: I would disagree. One could simply create a template password and then salt it with some acronym for the site in question. For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they are accessing. Still need only one password to remember and you don't necessarily have a single point of 0wnership anymore. On Sun, Mar 23, 2008 at 7:04 PM, Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Wanted the below to go to the list. - Abe Getchell [EMAIL PROTECTED] http://abegetchell.com/ Forwarded Message From: Abe Getchell [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Paul Schmehl [EMAIL PROTECTED] Subject: Re: [Full-disclosure] OpenID. The future of authentication on the web? Date: Mon, 24 Mar 2008 10:27:48 -0400 On Sun, 2008-03-23 at 17:37 -0500, Paul Schmehl wrote: Yes, and convenience is often the enemy of security. Convenience is not necessarily the enemy of security, rather a fine line exists between usability (of which convenience is a component) and security. What is considered an acceptable risk when balancing the two is a personal view point or company policy. However, with OpenID, all I have to do is figure out how to capture your credentials (which does not require that I compromise OpenID), and I can own everything that you own. At least with the disparate systems we have now you only get those things where I've been foolish enough to use the same credentials. Even then you have to figure out what those systems are. With OpenID I simply try every site that uses OpenID, trivial to do programmatically. Let's compare OpenID and your home security. The OpenID technology is much like the key/lock combination on the external door(s) of your home. You have one key (username/password) that allows only you access to your entire home and all of the belongings inside (personal information). Having separate lockable doors which require a different key between each room in your home is comparable to having a separate username/password for every website to which you have access. The differences in usability and security, in both cases, are obvious. You trust the security of your belongings and family to the single key/lock combination on the front of your home, why wouldn't you trust the security of your personal information online to a comparable system? A credit report is much easier to clean up than the blood of a family member. Extreme and gruesome, yes, but there's truth in that statement. The problem is, I have to trust the OpenID provide to both secure his/her systems and hire trustworthy help. I have to do the same locally, but I have a great deal more control and ability to monitor. When was the last time you had a copy of your key made at the local hardware store? How do you know they are not making an extra copy? Did they do a background check on the individual who is making the copy? What about the previous owners or renters of your home? Did the person who owned or rented the home previously return or destroy the keys? Did they make any copies and give them to anyone else? Did the person that made those copies make any extras? You have less control than you think. I understand your concerns in concept and appreciate the paranoia. It's what makes good security people good security people. When it comes down to it, though, you have to take on a certain amount of risk to make a system usable and available by end-users. I really hope that the industry starts to center their discussions about this technology around mitigating these risks rather than simply stating that the idea is a bad one. - Abe Getchell [EMAIL PROTECTED] http://abegetchell.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OpenID. The future of authentication on the web?
Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
There're more complications: who owns/controls the service can track down your movements between different webplaces, profiling your common habits/preferences. How long before banners will follow your navigation trough different websites where you use the same identity token? CtrlAltCa Paul Schmehl wrote: In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
OpenID represents (at least to the OSS world) the unified login structure that has been the proprietary advantage of Microsoft for so long. This will be an excellent technology for business to use internally (who control their own servers and services). It allows the capabilities of Single Sign On (SSO)to find a wider audience. I did use OpenID for a few services . . . it was nice, but I began to worry about outages on the OpenID server. If that server goes down, I may not be able to log on to anything. But in response to the previous statement: In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. In part I do agree. SSO can be dangerous, but it can also benefit the end user. As an example: I have 15 websites that I use; banking, gmail, forums, etc. Many people ALREADY have ONE or TWO password and user name combinations for all of these websites. If there is a compromise in the database of a forum that I use, the recipients of this data now have my bank account login as well as many other valid logins. From my understanding this scenario would not be possible with OpenID, all of the password hashes on stored on the OpenID servers, not in separate databases on each website that I access. But now because of the lack of a unified auditing (OpenID keeps track of the authentication attempts) and my inability to change passwords on all of the sites that I access at the same time, I have to go to every web site that I access and change my user name and password. As far as the general public is concerned . . . I would recommend it in limited use cases until the technology becomes more distributed and mature. The reliance of One Login to Rule Them All can be very dangerous. Ideally the best way to go about this would be to create a replication system (like DNS or USENET) where an update on one server is then made available to all servers connected to the OpenID network (that network, being worldwide, and moving transparently across political and business borders). But then OpenID, can become a means to control access to services. Imagine worst case scenarios ; Rouge OpenID servers, Governments denying access to seditious users, Identity theft on a grand scale, etc. That being said; these scenarios (and many more) will keep Full Disclosure and Computer Security Experts in business for a long long time. As computers move away from a standalone platform and towards an always networked application interface, we will need this OpenID model. But it needs a lot of work, and a lot of field testing. --Joseph Kern On Sun, Mar 23, 2008 at 11:50 AM, Paul Schmehl [EMAIL PROTECTED] wrote: --On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Hi Steven, I guess most 1337 hax0rs will flame you on this list. There are good security blogs you can follow and learn from instead. Full-disclosure is for rants and bashing only! I can point you to some articles that I wrote regarding OpenID, however, let me share my thoughts quickly as that will save you some time and of course if you are still curious you can go research further. First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. pdp P.S. dear list, the only reason I am not priv-massaging Steven is because I believe that there are other people who are interested in this topic. So, instead of wasting valuable resources and energy answering everyone individually, I've decided to do it once hoping that this message will be seen by others. Thanks! On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
thats right pdp - go run to your protected lists and blogs where you don't have to hear anything negative and where you can flame people without contest who talk against you. you are another Bill O Reilly and everyone thinks of you as such. enjoy your sheep. On Sun, Mar 23, 2008 at 9:52 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: Hi Steven, I guess most 1337 hax0rs will flame you on this list. There are good security blogs you can follow and learn from instead. Full-disclosure is for rants and bashing only! I can point you to some articles that I wrote regarding OpenID, however, let me share my thoughts quickly as that will save you some time and of course if you are still curious you can go research further. First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. pdp P.S. dear list, the only reason I am not priv-massaging Steven is because I believe that there are other people who are interested in this topic. So, instead of wasting valuable resources and energy answering everyone individually, I've decided to do it once hoping that this message will be seen by others. Thanks! On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On March 23, 2008 2:52:53 PM + Petko D. Petkov [EMAIL PROTECTED] wrote: First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. Yes, and convenience is often the enemy of security. The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. However, with OpenID, all I have to do is figure out how to capture your credentials (which does not require that I compromise OpenID), and I can own everything that you own. At least with the disparate systems we have now you only get those things where I've been foolish enough to use the same credentials. Even then you have to figure out what those systems are. With OpenID I simply try every site that uses OpenID, trivial to do programmatically. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. There's a reason I don't use Paypal.. I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. The problem is, I have to trust the OpenID provide to both secure his/her systems and hire trustworthy help. I have to do the same locally, but I have a great deal more control and ability to monitor. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. And that is a *huge* disadvantage. Now, there is no doubt that we need better user education. User *must* learn not to trust everything they get in email. They must also learn to use good passwords and not reuse them on every site they visit. There's also no doubt that some sites will do a lousy job of security and end up exposing a person's credentials (which is why you should use different credentials on every site.) We also need some sites to do a better job of requiring strong passwords. (Some still require only alpha-numeric characters and two few maximum characters.) But the idea that SSO makes sense outside the context of a single entity that controls its userbase is misbegotten, in my opinion. The individual *user* should control their credentials, not some foreign entity, no matter how trustworthy they may claim to be. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
It's worth pointing out that some OpenID providers are better than others. An OpenID provider could implement 2-factor authentication, and some have (http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H ardware/), or other features which could strengthen it. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Many of you have brought up that OpenID is vulnerable to phishing and have highlighted weaknesses specific traditional username/password authentication. This was the main reason I bought up Information Cards in my original post. I've noticed that Beemba (http://www.beemba.com) and MyOpenID (http://www.myopenid.com) have both implemented Information Cards as an authentication option. Good idea? It seems to me that if you were to rely on Information Cards as opposed to username/password the phishing angle is mitigated. Is this not the case? -sr Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On March 23, 2008 4:16:28 PM -0700 Steven Rakick [EMAIL PROTECTED] wrote: Many of you have brought up that OpenID is vulnerable to phishing and have highlighted weaknesses specific traditional username/password authentication. This was the main reason I bought up Information Cards in my original post. I've noticed that Beemba (http://www.beemba.com) and MyOpenID (http://www.myopenid.com) have both implemented Information Cards as an authentication option. Good idea? It seems to me that if you were to rely on Information Cards as opposed to username/password the phishing angle is mitigated. Is this not the case? Beemba doesn't appear to have any online FAQ or help. MyOpenID points to further information which leads to this: With OpenID, you don’t have to sign up and create a new account for each site that supports OpenID – you can just use the identity you already have. Hundreds of millions of OpenIDs already exist, and it is likely that you already have one from a service you use. Nice to know that someone is creating identities for me without my knowledge. With an ethical stance like that, why should I trust them to make my ID secure as well? I don't see any information at all about Information Cards. Perhaps you could provide a link? Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On March 23, 2008 7:20:55 PM -0400 Larry Seltzer [EMAIL PROTECTED] wrote: It's worth pointing out that some OpenID providers are better than others. An OpenID provider could implement 2-factor authentication, and some have (http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H ardware/), or other features which could strengthen it. Yes, but you're still placing your trust, for all the most important information about yourself, in the hands of a third party. That third parties reputation relies on being able to deny a breach of their systems, so their primary motivation would not be to help you solve your problem but to deny that it was caused by them. Insisting, for example, that you used the system incorrectly is a favored tactic of providers who offer similar decoupled authentication schemes. Given the choice between placing that trust in *one* provider, potentially exposing everything about myself, I think a system that relies on *me* to release my information voluntarily when I choose makes more sense from a security perspective. IOW, it is the owner of the data that should retain absolute control over that data. (And no, credit card companies don't own my data. Nor do merchants. I do. They have a responsibility to handle my data with the utmost care, and if they fail in their duty to protect, I have the ability to refuse to any longer do business with them. I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
On 3/23/08, Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. PasswordSafe/KeePass on a PDA, or something similar, can make up for poor memory. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
I'm not sure why it isn't on their home page any more. It used to be. Their FAQ is at: http://www.beemba.com/faq.aspx. On Sun, Mar 23, 2008 at 8:46 PM, Paul Schmehl [EMAIL PROTECTED] wrote: --On March 23, 2008 8:04:41 PM -0400 Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. I agree with your premise, Larry. It's the solution I object to. The correct solution, imo, is one that allows the user to retain control of their data. The password managers in browsers are an early attempt at this. Mac's File Vault is another. The correct solution, IMO, would be an encrypted password vault, stored on a USB drive and only available through the use of a password and some other form of identification (biometric, etc.) In other words, a combination of something you have and something you know, not something someone else has and something you know. If I'm carrying my passwords in encrypted form in a device I possess, I have complete control of who gets granted access to my data, and the compromise of any one vendor site that I visit will, at the worst, compromise the data I granted them access to. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/