[OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

Allen Tom atom at yahoo-inc.com
Fri Aug 8 21:54:52 UTC 2008 

Hi Peter -

As I've said, many consumer oriented website allow their users to reset 
their passwords (equivalent to logging in) via email, without any 
additional proofing points.

However, many sites require multiple proofing points to reset the 
password, including the answers to secret questions, specific details 
about the user's account, and a verified email address.

Mission Critical enterprise applications usually have much higher 
security requirements than consumer facing web applications. It would 
certainly seem odd to me if an enterprise application lets its users 
login via a simple password reset email sent to a free webmail provider 
without any additional proofing points.

Allen


Peter Williams wrote:
> Lets work with this theory.
>
> Ceo of fortune 100 company loses his/her password to the intranet app storing the pending quarterly reports. The app normally allows ceo to make comments on the draft financial statement, using an openid provisioned by the enterprise op. Ceo uses openid auth processes to seek password reset.
>
> Should an auditor qualify this use of openid (given the heady obligations placed on officers of public companies to protect disclosures) as inappropriate per se,  or not?
>
> Or, would it depend on the particular implementation?
>
> -----Original Message-----
> From: Allen Tom <atom at yahoo-inc.com>
> Sent: Friday, August 08, 2008 4:01 PM
> To: Ben Laurie <benl at google.com>; security at openid.net <security at openid.net>; OpenID List <general at openid.net>
> Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
>
>
> OpenID is really just a protocol which allows a user to prove access to
> an identifier, and is conceptually identical to the Password Reset via
> email flow deployed by countless websites today.
>
> Many websites allow users to login either by entering their password, or
> by proving ownership of the email address associated with the account
> (usually known as Password Reset via email).
>
> As best described by Simon Willison, logging in with an OpenID is really
> the same thing as allowing Password Reset via email, just with a much
> better user interface. In both cases, the Relying Party requires the
> user to prove access to an external account. Although I am certainly not
> a crypto or email expert, I believe that Password Reset use case is
> equally vulnerable to this DNS/HTTPS vulnerability, if not more so, as
> the Relying Party could be tricked into sending the password reset email
> to the attacker.
>
> Again, as many others on this list have pointed out, I am perplexed as
> to why OpenID is being singled out for this vulnerability with DNS and
> HTTPS.
>
> Allen
>
>
> Ben Laurie wrote:
>   
>> OpenID is "singled out" because I am not talking about a potential
>> problem but an actual problem.
>>
>>     
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080808/deda3519/attachment-0002.htm>

More information about the general mailing list