[OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Peter Williams
pwilliams at rapattoni.com
Fri Aug 8 21:38:45 UTC 2008
Lets work with this theory.
Ceo of fortune 100 company loses his/her password to the intranet app storing the pending quarterly reports. The app normally allows ceo to make comments on the draft financial statement, using an openid provisioned by the enterprise op. Ceo uses openid auth processes to seek password reset.
Should an auditor qualify this use of openid (given the heady obligations placed on officers of public companies to protect disclosures) as inappropriate per se, or not?
Or, would it depend on the particular implementation?
-----Original Message-----
From: Allen Tom <atom at yahoo-inc.com>
Sent: Friday, August 08, 2008 4:01 PM
To: Ben Laurie <benl at google.com>; security at openid.net <security at openid.net>; OpenID List <general at openid.net>
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
OpenID is really just a protocol which allows a user to prove access to
an identifier, and is conceptually identical to the Password Reset via
email flow deployed by countless websites today.
Many websites allow users to login either by entering their password, or
by proving ownership of the email address associated with the account
(usually known as Password Reset via email).
As best described by Simon Willison, logging in with an OpenID is really
the same thing as allowing Password Reset via email, just with a much
better user interface. In both cases, the Relying Party requires the
user to prove access to an external account. Although I am certainly not
a crypto or email expert, I believe that Password Reset use case is
equally vulnerable to this DNS/HTTPS vulnerability, if not more so, as
the Relying Party could be tricked into sending the password reset email
to the attacker.
Again, as many others on this list have pointed out, I am perplexed as
to why OpenID is being singled out for this vulnerability with DNS and
HTTPS.
Allen
Ben Laurie wrote:
> OpenID is "singled out" because I am not talking about a potential
> problem but an actual problem.
>
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list