OpenID homesite authorization spoofed

Alaric Dailey alaricdailey at hotmail.com
Mon Oct 23 03:12:24 UTC 2006 

Depends on what you call DNS spoofing, what we did could be done with a
"hosts" file(so I guess you could call it that), but we did not use DNS
poisoning.  We simply set up a fake "MyOpenID.com" to fake the real one into
thinking he had validated already.

As far as what we are trying to prove....

That there are catastropic holes in the system as it stands.  

You see, this all started with me, I was extremely excited about openID, I
thought that it would be a great way to speed the signup of clients for a
site we are building.  As we implemented it, we discovered major flaws.  I
have this thought that if OpenID/Sxip is about creating a "digital drivers
license" then there are some assumptions to be made.

1. Somebody is vouching for the identity being presented. (asserting an
identity)
2. That entity doing the assertion has to be trusted at some level.

If the vouching party can't be validated then any assertions they make are
worthless.  Just exactly like PGP, if you aren't doing the validation, then
they key can't TRULY be trusted, and most people have NO IDEA how to
validate a PGP key correctly.

In the real world, the DMV tries to show that they are ones who issued a
drivers license by "signing" it with embedded logos, holograms etc.  In the
digital world the only good analogy is a digital signature, I am going to
ignore the type of digital signature because that is irrelevent.

Without a digital signature any assertions of an identity are worthless and
without a validation of the asserting entity, even the digital signature is
worthless.

As I have stated before on my blog and other places, these same issues make
PGP only truly useful for anonymous or psuedo-anonymous communications. I
guess it would be really good for communications between people who have
personally validated each others keys.  


Data on the internet is so easy to change en-route, so easy to monitor,
unsigned plain text (especially something like an assertion) is just
irresponsible. Encryption, regardless of how it's done, is the only
reasonable way to protect a users data, and from a users standpoint, I don't
care if I am transfering my age range or my social security number, if all
data is encrypted, then it's safe. If I am a relying site, without a
signature, any data not only has to be treated as possibly bad, but quite
probably dangerous.

I REALLY wanted to find out more about making an authoritative site, because
it seems like a CA is the perfect candidate to be making usable assertions,
but I haven't gotten any good information on it, instead I have found
problems.  

I could see where a user would not want to fill in REAL information and
infact they may not to use an authoritative site to validate their identity,
but that doesn't mean that the account should be able to be spoofed.


As a side note, I have a different way of looking at authentication and
authorization because of my experience as a Notary Public, Thawte Notary,
CAcert Assurer, Programmer and Network admin.




-----Original Message-----
From: Recordon, David [mailto:drecordon at verisign.com] 
Sent: Sunday, October 22, 2006 8:41 PM
To: Alaric Dailey; general at openid.net
Subject: RE: OpenID homesite authorization spoofed

Alaric,
Mind sharing the attack...at least privately?




If this involved DNS spoofing, then it certainly is known that OpenID can be
exploited in such fashion, just as every other site out on the Internet
today not using DNSSEC can be.

I'm not sure exactly what you and Eddy are trying to prove.  I fully
understand that using OpenID with no SSL and no DNSSEC is technically
insecure, and no one has ever made the claim that OpenID has "military
grade" security as it stands today.  Did you prove something else that I'm
just missing?

Regards,
--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Alaric Dailey
Sent: Sunday, October 22, 2006 6:38 PM
To: general at openid.net
Subject: OpenID homesite authorization spoofed


With my consent, Eddy has successfully spoofed openID using a server on his
internal network and then successfully used that log onto my openid account
at myopenid.com.  This didn't take any special hacking skills, just some DNS
trickery and a little coding.  The problem would have been


Using encryption would have made this much more difficult.  I have screen
shots if anyone cares, I'd attach them except that I am sure they would be
stripped.

Using a mutual authentication between membersite and homesite would have
made it impossible, while still being transparent to the user, that isn't to
say there wouldn't be a footprint, but the user would have nothing more to
do.

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list