Full Disclosure mailing list archives
Re: OpenID. The future of authentication on the web?
From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 23 Mar 2008 17:37:08 -0500
--On March 23, 2008 2:52:53 PM +0000 "Petko D. Petkov" <pdp.gnucitizen () googlemail com> wrote:
First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient.
Yes, and convenience is often the enemy of security.
The first argument "for" OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required.
However, with OpenID, all I have to do is figure out how to capture your credentials (which does not require that I compromise OpenID), and I can own everything that you own. At least with the disparate systems we have now you only get those things where I've been foolish enough to use the same credentials. Even then you have to figure out what those systems are. With OpenID I simply try every site that uses OpenID, trivial to do programmatically.
Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider.
There's a reason I don't use Paypal......
I am all "for" OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc.... then OpenID is the preferable choice.
The problem is, I have to trust the OpenID provide to both secure his/her systems and hire trustworthy help. I have to do the same locally, but I have a great deal more control and ability to monitor.
Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage.
And that is a *huge* disadvantage. Now, there is no doubt that we need better user education. User *must* learn not to trust everything they get in email. They must also learn to use good passwords and not reuse them on every site they visit. There's also no doubt that some sites will do a lousy job of security and end up exposing a person's credentials (which is why you should use different credentials on every site.) We also need some sites to do a better job of requiring strong passwords. (Some still require only alpha-numeric characters and two few maximum characters.) But the idea that SSO makes sense outside the context of a single entity that controls its userbase is misbegotten, in my opinion. The individual *user* should control their credentials, not some "foreign" entity, no matter how trustworthy they may claim to be. Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? fabio (Mar 23)
- Message not available
- Re: OpenID. The future of authentication on the web? Kern (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 23)
- Re: OpenID. The future of authentication on the web? reepex (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Pedro Hugo (Mar 24)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 24)
- Re: OpenID. The future of authentication on the web? reepex (Mar 23)
- Re: OpenID. The future of authentication on the web? Kurt Buff (Mar 23)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 24)