[OpenID] Selectively Redirecting OpenID Traffic To HTTPS

Hans Granqvist hans at granqvist.com
Wed Jan 16 14:55:26 UTC 2008


On 1/15/08, Trevor Johns <trevor at tjohns.net> wrote:
> On Jan 15, 2008, at 9:50 PM, Hans Granqvist wrote:
>
> > Of course, a pretty simple attack is RP getting a domain, such as
> > http://verislgnlabs.com/, and a cheap cert that chains to
> > 99.9% of trusted browser roots, and then silently rewriting your
> > URL to fit.
>
>
> This is a known vulnerability. It can be prevented by carefully
> verifying the URL before you enter your password.
>
> I'll readily admit that this doesn't work for regular users who can't
> be bothered to read dialogs, much less manually verify (potentially
> obfuscated) URLs. But this is where things like Verisign's Seatbelt,
> client-side X.509 certs, and out-of-band authentication come into play.

Client-side certs authenticate the client, so they don't come into play
here. OTP devices (e.g., key fobs) are complex and expensive to deploy
still. Out-of-band authentication mechanisms are cumbersome.

That leaves add-ons like Seatbelt to the browser, but forced client-side
installs never work, and the protocol still works when the user forget to
enable such add-ons.


>
> And this problem isn't unique to OpenID, there's a lot of research in
> the UI and security fields aiming to improve this.

I agree, but the problem is uniquely multiplied by OpenID, since the
user doesn't explicitly click or manually enter the "bad" URL.

OpenID 2, being a new protocol, should not accept that these phishing
attacks are possible, especially when they can be completely avoided
inside the protocol.


>
> > OpenID aware browsers or add-ons could help. OPs that use
> > OTPs, challenge response, biometrics, etc. could also help. But
> > is it even feasible to force their use?
>
> This is what the PAPE extension provides. However, PAPE only provides
> advisory information -- it can easily be circumvented by a user who
> really doesn't want to use stronger security.

What do you mean? PAPE information goes from OP -> RP. When a bad
RP bounces you to a bad OP, this info means nothing.


Hans



More information about the general mailing list