Comments on: What is OpenID and why hasn’t it been setup correctly? http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/ A tool for designers dealing with programmers dealing with designers... Fri, 12 Mar 2010 17:56:50 +0000 http://wordpress.org/?v=2.6.2 By: Gareth Heyes http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-141 Gareth Heyes Wed, 25 Apr 2007 09:03:11 +0000 http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-141 To help you understand the problem I suggest you look into CSRF attacks [1]. The major problem is that an attacker could create a page that could automatically execute actions on your behalf. Now some providers have provided protection against this and others haven't, even the ones that have provided protection it could still be possible to perform the attack. I suggest any providers reading this also read my other blog posting on how to prevent these sort of attacks [2] [1] http://en.wikipedia.org/wiki/Cross-site_request_forgery [2] http://www.thespanner.co.uk/2007/04/12/one-time-form-tokens/ To help you understand the problem I suggest you look into CSRF attacks [1]. The major problem is that an attacker could create a page that could automatically execute actions on your behalf.

Now some providers have provided protection against this and others haven’t, even the ones that have provided protection it could still be possible to perform the attack. I suggest any providers reading this also read my other blog posting on how to prevent these sort of attacks [2]

[1] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[2] http://www.thespanner.co.uk/2007/04/12/one-time-form-tokens/

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-140 Gareth Heyes Wed, 25 Apr 2007 08:35:00 +0000 http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-140 Ah yes but what if there is a problem with how that works? What if it was possible to automatically add that site to your "trusted" sites even though you've never visited it before. I have already proved that once with MyOpenID and I have found other providers to have the same problems. The fact is if you don't confirm a password on a site request, your OpenID service is less secure then if you did. Ah yes but what if there is a problem with how that works? What if it was possible to automatically add that site to your “trusted” sites even though you’ve never visited it before.

I have already proved that once with MyOpenID and I have found other providers to have the same problems. The fact is if you don’t confirm a password on a site request, your OpenID service is less secure then if you did.

]]> By: Snyke http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-139 Snyke Tue, 24 Apr 2007 20:59:59 +0000 http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-139 The thing is that most OpenID Providers provide a mechanism for you to choose which sites to trust and what information to disclose to a site. When I log in using my MyOpenID account to a site I've never visited before, I'm asked if I want to log in to it, and if they have requested a Nickname or Email, if I want to give it to them. After the first log in, the provider remembers my decision and forwards me directly. I can revoke my decision whenever I want to. The thing is that most OpenID Providers provide a mechanism for you to choose which sites to trust and what information to disclose to a site. When I log in using my MyOpenID account to a site I’ve never visited before, I’m asked if I want to log in to it, and if they have requested a Nickname or Email, if I want to give it to them. After the first log in, the provider remembers my decision and forwards me directly.
I can revoke my decision whenever I want to.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-138 Gareth Heyes Wed, 11 Apr 2007 08:25:43 +0000 http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-138 Well the point is that I think it would be possible for an attacker to force you to trust any site and also log onto any OpenID enabled web site. I don't see how my point could be any stronger or clearer. Well the point is that I think it would be possible for an attacker to force you to trust any site and also log onto any OpenID enabled web site. I don’t see how my point could be any stronger or clearer.

]]> By: Snyke http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-137 Snyke Wed, 04 Apr 2007 17:26:00 +0000 http://www.thespanner.co.uk/2007/03/27/what-is-openid-and-why-hasnt-it-been-setup-correctly/#comment-137 I don't see your point, whether the password is remembered or not is up to the provider/user. Even better if the Server already recognizes me I won't be tricked into some phishing attacks (other sites emulating my OpenID provider), because the browser takes care of recognizing my Provider. The less I send my password over the net the better. And by the way the OpenID standard says that I have to prove to my Provider that it's actually me, and does not specify that this should be done using password, I could just as good use a public-private-key infrastructure. I don’t see your point, whether the password is remembered or not is up to the provider/user. Even better if the Server already recognizes me I won’t be tricked into some phishing attacks (other sites emulating my OpenID provider), because the browser takes care of recognizing my Provider. The less I send my password over the net the better. And by the way the OpenID standard says that I have to prove to my Provider that it’s actually me, and does not specify that this should be done using password, I could just as good use a public-private-key infrastructure.

]]>