[OpenID] Trust + Security @ OpenID

[John Panzer]

Hans Granqvist wrote:
>>I've been calling this the "outsourcing the security of our users"
>>problem. Site owners are uncomfortable about relying on the security
>>of the user's chosen OpenID provider - after all, if they pick a bad
>>one then the site's own security measures are null and void.
> 
> 
> That's only applicable to the site's security measures relating to
> the origin and identification of the user, not its security against
> webapp attacks, right?
> 
> 
>>My counter-argument is that if the site has a "I've forgotten my
>>password" feature that uses e-mail to verify the user, they're already
>>outsourcing the security of their users to that user's chosen e-mail
>>provider, and OpenID changes nothing.
> 
> 
> Emails can be signed and encrypted and refer back to click-thru
> pages with user-set re-activation questions (a la "What was the name
> of your first dog?"). Is that different from OpenID scenarios?

It's the same, or actually perhaps slightly better with OpenID as SSL is 
more widely deployed than clients that accept signed email.  In 
particular, the click-through scenario is the phisher's attack vector; 
in either the email case or when entering an OpenID on an RPs web page, 
there's an opportunity for phishers to redirect users to something that 
looks like the destination site/OP but isn't, and which collects their 
credentials.  In most cases you don't even need to fake the DNS domain 
to get an acceptable success rate (he claims, without proof).

-John