WebApp Sec mailing list archives
RE: OpenID and the web
From: "Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon () ge com>
Date: Thu, 27 Mar 2008 11:31:03 -0400
Unfortunately another drawback is that SSO (in general) makes XSRF even more dangerous as logging in one malicious site or if you have a Trojan might compromise your data in several others sites and open the door to a chain reaction similar to the XSS worm for Myspaces. However SSO is a need for many people that anyway use password recycling to obtain the "same effect". If well used SSO could be beneficial as you can learn one single strong password than dozens of easy-to-remember. Notice the "if well used" at the beginning of the statement "there is no patch for stupidity" Regards, Juan Carlos Calderon -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Razi Shaban Sent: Jueves, 27 de Marzo de 2008 05:47 a.m. To: Babu.N Cc: Eric Marden; webappsec () securityfocus com Subject: Re: OpenID and the web On 3/27/08, Babu.N <babun () intoto com> wrote:
Yes, it is difficult to configure it for supporting sites. But it does save us from registering at multiple webistes & remembering the passwords of each of them.
It also makes it that much simpler for a malicious user to gain access to every account you have after getting the password for only one. If you use a different account name and password at every single website, then if one account is compromised then all your other accounts are safe. -- Razi ------------------------------------------------------------------------ - Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------ - ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- OpenID and the web Steven Rakick (Mar 25)
- Re: OpenID and the web David Wall (Mar 25)
- Message not available
- Re: OpenID and the web David Wall (Mar 25)
- Message not available
- Re: OpenID and the web David Wall (Mar 25)
- Re: OpenID and the web Adrian Migraso (Mar 25)
- Re: OpenID and the web Eric Marden (Mar 26)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Jeff Robertson (Mar 27)
- RE: OpenID and the web Calderon, Juan Carlos (GE, Corporate, consultant) (Mar 27)
- Re: OpenID and the web Lucas Oman (Mar 27)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web David Wall (Mar 27)
- Re: OpenID and the web Jeremiah Cornelius (Mar 27)
- RE: OpenID and the web Chris Grove (Mar 28)
- <Possible follow-ups>
- Re: OpenID and the web Pete Jansson (Mar 27)
- Re: OpenID and the web baldr (Mar 27)