[OpenID] BlackHat presentation on OpenID
Norman Gray
norman at astro.gla.ac.uk
Mon Sep 10 08:15:45 UTC 2007
Greetings.
I haven'ts seen this appear on the list yet (apologies if I've missed
it).
Bob Blakley at the Burton Group produced a blog post on `What is OpenID
for?'[1], which asks a number of useful questions (with the aim of getting
the horse explicitly back before the cart), and points to a couple of
discussions about OpenID security. In particular, it points towards
a BlackHat disussion of OpenID security weaknesses[2], which lists an
alarming number of weaknesses, but ends on a note of qualified optimism:
Whilst this paper has presented a number of attacks against OpenID,
it still remains the only viable option for the Internet-wide SSO
system. Some of the attacks presented are either partially solved
already or can be solved with relative ease. Other attacks such as
phishing and the redirect attack require further thought. However
it is our belief that OpenID can be made secure.
Norman
[1] http://srmsblog.burtongroup.com/2007/09/what-is-openid-.html
[2] https://www.blackhat.com/presentations/bh-usa-07/Tsyrklevich/Whitepaper/bh-usa-07-tsyrklevich-WP.pdf
--
---------------------------------------------------------------------------
Norman Gray / http://nxg.me.uk
eurovotech.org / University of Leicester
More information about the general
mailing list