security

James A. Donald jamesd at echeque.com
Thu Oct 26 05:45:51 UTC 2006 

     --
Martin Atkins wrote:
 > The more I read your replies the more I get the
 > impression that you don't really understand the OpenID
 > protocol flow. In particular, thue "username/password
 > pair" is OUT OF SCOPE FOR OPENID. How the IdP
 > authenticates the user, whether by username/password,
 > a cookie, SSL client cert, or even just "I know this
 > client is on the same LAN as me", is NOT SPECIFIED by
 > OpenID. What *is* specified by OpenID is how the IdP
 > communicates the positive assertion back to the RP.
 >
 > In a separate message I posted the following diagram
 > showing the flow of information in a "smart mode"
 > OpenID transaction:
 >
 >      <http://i13.tinypic.com/2w3ch7b.png>
 >
 > The arrows shown in bright red are those which could
 > be theoretically compromised if the RP doesn't use
 > SSL. The dark red arrow shows what could be
 > theoretically compromised if the identity URL does not
 > use SSL.

If the RP (the web site at which one uses openid to
login) does not use SSL to communicate with the browser,
ones session could potentially be hijacked, but this
problem is outside the scope of open ID, which is about
logging in, not what happens next,  Obviously banks
should use SSL when one is instructing them to move
money from one account to another, and by and large,
they do.  Blogs probably need not, and they do not. That
is an issue for the particular web site, not part of
open ID.  Doubtless most sites should use SSL more than
they do, but that is not an issue that OpenID can or
should address.

This leaves the dark red arrow as the potential problem.

I viewed this as a serious problem.  You then asked
"What is the problem?"

The problem is that the end user can unknowingly be
logged in on an identity that someone else created for
him, an identity that someone else controls, yet the
user incorrectly believes that he controls it.  He might
upload something of value to an account controlled by
the adversary.

This is an uncommon case, a very rare and specialized
attack.  The usual case is that the adversary wants to
login on your account, because your account already
controls something of value, for example your domain
registration.  He does not want you to login on an
account that he controls.

So it might well be sufficient to flag it as a known
attack - that unless the identity urls are restricted to
being https urls OpenID is unsuitable for accounts where
the user might upload secret information of substantial
value on the account.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      ctmeRBXg76OA9W8So/fUVG3HuRybBZdDwltaLOb4
      4dkd9awspPOFWK6pyp+nUBW6lJCVT/QUA28hxDCc3

More information about the general mailing list