[OpenID] Association poisoning
Andrew Arnott
andrewarnott at gmail.com
Sun Mar 8 17:38:41 UTC 2009
Martin,
Yes, that about sums it up. Since thinking of this potential problem I
couldn't find anywhere in the OpenID 2.0 spec that calls out the caution.
If it isn't there, perhaps 2.1 can add it.
As stated in my blog post, I only checked Janrain's ruby library and
dotnetopenid. I haven't checked any other RPs. I hope that anyone that
owns an RP implementation will check for this.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Sun, Mar 8, 2009 at 9:20 AM, Martin Atkins <mart at degeneration.co.uk>wrote:
> Andrew Arnott wrote:
>
>> If you write an OpenID relying party library or custom implementation, you
>> might want to review a post I just wrote on a potential security hole I've
>> never heard anyone else talk about:
>>
>> http://blog.nerdbank.net/2009/03/openid-association-poisoning.html
>>
>
> So, just to be clear, the flaw here is employing a simple assoc_handle to
> assoc secret mapping without considering which OP belongs to the
> assoc_handle?
>
> That is a pretty serious problem. Have you found any RP implementations
> that *are* vulnerable?
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090308/3efb8610/attachment-0002.htm>
More information about the general
mailing list