[OpenID] [marketing] Fwd: OpenID Spoofing

Claus Färber gmane at faerber.muc.de
Thu Jan 18 17:31:13 UTC 2007


Dmitry Shechtman schrieb:
>> If you don't follow a link but type in the URI manually or use a
>> bookmark, you're quite safe from phishes.
> Wrong. Google for DNS spoofing.

Quite safe, not 100% safe. DNS spoofing is hard to do without access to
the user's machine.
If you do have access to the user's machine, you can also install other
malware. If you can't trust the user's machine, you're simply lost
without external methods such as smartcards.
I also tend to trust my ISP and my ISP's DNS server more than I trust a
remote site or an email message.

>> It's irrelevant if you call it "use" instead of "login". The problem
>> does not go away: Every(!) site to which you identify with your OpenID
>> can present you with a phish instead of your real OpenID provider.
> 
> Why would a user want to log into such sites? Although the protocol has to
> be foolproof, you are presenting an overly-fool scenario.

Excuse me? That's exactly the usage scenario OpenID was made for: Write
a post on a web forum you've never seen before, discuss a blog entry you
found through a link, edit a wiki you stumble upon, etc.

It should be noted that I did even register with some sites I don't
_fully_ trust. Although I gave them my email address (well, an email
address), I would not trust them with my OpenID credentials.

>> The usual defence against phising - using your bookmarks when you want
>> to login - does not work because not using your bookmarks to get to the
>> OpenID provider is part of the protocol. Well, you can avoid it by
>> always logging in via OpenID first and then visiting any sites but users
>> in general won't do that. They won't notice if they have to login a
>> second time during their browsing session, either.
> 
> Now who's sticking his head in the sand? Using bookmarks isn't a defense.

The risk differs by a factor of magnitudes. You can't be 100% safe but
making phishing easier than it already is is a bad idea.

> As for logging in prior to RP request, that would require the user to set
> her browser's start page to be OP login. Maybe this isn't such a bad idea.

Well, the main problem with OpenID (actually, with the way it is
implemented by providers) is that the user must enter his credentials on
a site he has been sent to by another site, whose owner (or 0wn3r) could
have arranged for a MITM attack. If that happens, we can't rely on the
user to notice that something is wrong.

In other words, the user authentication with the OpenID provider must
not happen during the process of logging into a site (e.g. the user has
to authenticate in advance/through another channel) /or/ it must use a
method where a MITM can't get any useful information (e.g. TLS client
certs).

>> It's even worse with cross-site scripting. Given the code quality of
>> existing OpenID code (some libraries can't even parse the simplest of
>> HTML), a lot of these problems will spring up.
> 
> Although I could agree with you on the code quality, it has nothing to do
> with the security of the protocol.

Well, for one thing, the protocol should cater for bad implementations
as it does for stupid users. Here, bad code quality (of OpenID
providers) may make phishing attacks unnoticeable even for Lynx users
(no frames, no scripts) who check the URL very carefully.

Claus




More information about the general mailing list