[OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Allen Tom
atom at yahoo-inc.com
Fri Aug 8 20:49:26 UTC 2008
OpenID is really just a protocol which allows a user to prove access to
an identifier, and is conceptually identical to the Password Reset via
email flow deployed by countless websites today.
Many websites allow users to login either by entering their password, or
by proving ownership of the email address associated with the account
(usually known as Password Reset via email).
As best described by Simon Willison, logging in with an OpenID is really
the same thing as allowing Password Reset via email, just with a much
better user interface. In both cases, the Relying Party requires the
user to prove access to an external account. Although I am certainly not
a crypto or email expert, I believe that Password Reset use case is
equally vulnerable to this DNS/HTTPS vulnerability, if not more so, as
the Relying Party could be tricked into sending the password reset email
to the attacker.
Again, as many others on this list have pointed out, I am perplexed as
to why OpenID is being singled out for this vulnerability with DNS and
HTTPS.
Allen
Ben Laurie wrote:
> OpenID is "singled out" because I am not talking about a potential
> problem but an actual problem.
>
More information about the general
mailing list