OpenID homesite authorization spoofed

Dick Hardt dick at sxip.com
Mon Oct 23 03:23:50 UTC 2006 

Alaric:

1) details on the attack would be greatly appreciated

2) the "digital drivers license" is a little ways off.  We are still  
taking baby steps. OpenID Authentication does not do anything more  
then prove you were the same entity that was at RP previously. The  
same functionality of a username and password.

-- Dick

On 22-Oct-06, at 8:12 PM, Alaric Dailey wrote:

> Depends on what you call DNS spoofing, what we did could be done  
> with a
> "hosts" file(so I guess you could call it that), but we did not use  
> DNS
> poisoning.  We simply set up a fake "MyOpenID.com" to fake the real  
> one into
> thinking he had validated already.
>
> As far as what we are trying to prove....
>
> That there are catastropic holes in the system as it stands.
>
> You see, this all started with me, I was extremely excited about  
> openID, I
> thought that it would be a great way to speed the signup of clients  
> for a
> site we are building.  As we implemented it, we discovered major  
> flaws.  I
> have this thought that if OpenID/Sxip is about creating a "digital  
> drivers
> license" then there are some assumptions to be made.
>
> 1. Somebody is vouching for the identity being presented.  
> (asserting an
> identity)
> 2. That entity doing the assertion has to be trusted at some level.
>
> If the vouching party can't be validated then any assertions they  
> make are
> worthless.  Just exactly like PGP, if you aren't doing the  
> validation, then
> they key can't TRULY be trusted, and most people have NO IDEA how to
> validate a PGP key correctly.
>
> In the real world, the DMV tries to show that they are ones who  
> issued a
> drivers license by "signing" it with embedded logos, holograms  
> etc.  In the
> digital world the only good analogy is a digital signature, I am  
> going to
> ignore the type of digital signature because that is irrelevent.
>
> Without a digital signature any assertions of an identity are  
> worthless and
> without a validation of the asserting entity, even the digital  
> signature is
> worthless.
>
> As I have stated before on my blog and other places, these same  
> issues make
> PGP only truly useful for anonymous or psuedo-anonymous  
> communications. I
> guess it would be really good for communications between people who  
> have
> personally validated each others keys.
>
>
> Data on the internet is so easy to change en-route, so easy to  
> monitor,
> unsigned plain text (especially something like an assertion) is just
> irresponsible. Encryption, regardless of how it's done, is the only
> reasonable way to protect a users data, and from a users  
> standpoint, I don't
> care if I am transfering my age range or my social security number,  
> if all
> data is encrypted, then it's safe. If I am a relying site, without a
> signature, any data not only has to be treated as possibly bad, but  
> quite
> probably dangerous.
>
> I REALLY wanted to find out more about making an authoritative  
> site, because
> it seems like a CA is the perfect candidate to be making usable  
> assertions,
> but I haven't gotten any good information on it, instead I have found
> problems.
>
> I could see where a user would not want to fill in REAL information  
> and
> infact they may not to use an authoritative site to validate their  
> identity,
> but that doesn't mean that the account should be able to be spoofed.
>
>
> As a side note, I have a different way of looking at authentication  
> and
> authorization because of my experience as a Notary Public, Thawte  
> Notary,
> CAcert Assurer, Programmer and Network admin.
>
>
>
>
> -----Original Message-----
> From: Recordon, David [mailto:drecordon at verisign.com]
> Sent: Sunday, October 22, 2006 8:41 PM
> To: Alaric Dailey; general at openid.net
> Subject: RE: OpenID homesite authorization spoofed
>
> Alaric,
> Mind sharing the attack...at least privately?
>
>
>
>
> If this involved DNS spoofing, then it certainly is known that  
> OpenID can be
> exploited in such fashion, just as every other site out on the  
> Internet
> today not using DNSSEC can be.
>
> I'm not sure exactly what you and Eddy are trying to prove.  I fully
> understand that using OpenID with no SSL and no DNSSEC is technically
> insecure, and no one has ever made the claim that OpenID has "military
> grade" security as it stands today.  Did you prove something else  
> that I'm
> just missing?
>
> Regards,
> --David
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general- 
> bounces at openid.net] On
> Behalf Of Alaric Dailey
> Sent: Sunday, October 22, 2006 6:38 PM
> To: general at openid.net
> Subject: OpenID homesite authorization spoofed
>
>
> With my consent, Eddy has successfully spoofed openID using a  
> server on his
> internal network and then successfully used that log onto my openid  
> account
> at myopenid.com.  This didn't take any special hacking skills, just  
> some DNS
> trickery and a little coding.  The problem would have been
>
>
> Using encryption would have made this much more difficult.  I have  
> screen
> shots if anyone cares, I'd attach them except that I am sure they  
> would be
> stripped.
>
> Using a mutual authentication between membersite and homesite would  
> have
> made it impossible, while still being transparent to the user, that  
> isn't to
> say there wouldn't be a footprint, but the user would have nothing  
> more to
> do.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list