security

[Dick Hardt]

On 22-Oct-06, at 11:32 AM, Eddy Nigg (StartCom Ltd.) wrote:

> Hi Dick,
>
> Dick Hardt wrote:
>> There is no reason to force an RP that is not using SSL today to  
>> use it with OpenID.
> Of course there are....:
>
> 1.) I don't want my personal "whatever" data be transfered in the  
> open, which includes my ID URI, Key and whatever is going to be  
> transfered from my homesite.

It would be your URL, which likely will be private, and likely would  
be contained in content moved from the site later on insecure anyway  
even if login was SSL.

>
> 2.) I want to make sure, that I'm really talking to slashdot /  
> paypal / whatever site....reducing the possibilities of pishing and  
> login by mistake to the wrong site.

I think there is a big difference between knowing  you are talking to  
slashdot, and talking to paypal.


>> Do you think that Slashdot does not use SSL because they can't  
>> afford it? No, it is because it is not sensitive enough, and the  
>> performance overhead of SSL is too high for the marginal benefit.
> Any Login data is sensitive enough! But really, the "performance  
> overhead" is also not a valid argument anymore....First, I'm not  
> suggesting, that /. encrypts from now on all its content, but the  
> relevant parts of OpenID. The transfered data is not in the range  
> of sizes, that this might in any affect performance, but possibly a  
> few KB's....This argument might have been valid ten years ago, but  
> not today....

Your opinion is not shared by the site operators and their users. Why  
should everyone operate according to how you think things should  
happen? As a user, you have a choice not to use those sites. Why are  
you wanting to force your values on others?


>> There is a case for the IdP to use SSL, but the biggest one right  
>> now, Livejournal, does not support SSL and there was significant  
>> push back on making it a requirement.
> Well...I don't know, what the big deal is to have a secured SSL  
> site...really...If you can afford to buy a domain name, than you  
> can also afford a SSL certificate or get it even for free (This  
> will be more and more common...just wait...)

As said above, buying the cert is not the barrier.

>> I think the market will dictate what is needed.
> Not sure about that one....You design and define the SPECS and you  
> are the one who should take care of this! If there is a hole in the  
> network (and supposedly it gets adopted a lot), then this hole will  
> be exploited...Now you have a responsibility here, because as I  
> said earlier, access is not to one forum, but might be to hundreds  
> of thousands of sites...Think about this! You have to provide a  
> robust and secure standard - taking adoption time into account -  
> will be used for years to come!

This is like saying that all websites should use SSL and we should  
stop allowing HTTP because it is insecure. Where would the web be if  
all sites had to run SSL to start off with?

>
> Now, why browsers today offer anti-pishing tools included in their  
> software? Because the user is not able to look at the address bar,  
> check the frames and iFrames? Exactly....the same is true for a  
> user to judge, if this or that site is now secured or should be  
> secured...There is enough confusion for some of the population  
> making use of the Internet - they can't make a decision every time,  
> sometimes they don't even know what to decide! It's you, who should  
> take care of this...This is my argumentation!
>> -- Dick 
> All the discussions and suggestions are made by me in good faith  
> and I don't mean anything personal (So if I write the word "you",  
> this doesn't mean you personally, but whoever is involved). I hope,  
> that my input is going to be helpful!

These are not issues that have not been discussed in depth before.  
Appreciate your feedback, but this is actually not the main security  
issue. Adding SSL is pretty straight forward, and a site will decide  
to use SSL in the same manner that they decide to use SSL today.

The main security issue is actually the MITM attack discussed  
elsewhere. There is no solution in the wild for this with zero  
footprint on the client.

-- Dick