[OpenID] Fwd: [OpenID Foundation] New Poll Opened

[Ben Laurie]

On Fri, Mar 20, 2009 at 5:41 PM, John Bradley <john.bradley at wingaa.com> wrote:
> Ben,
> <inline>
> On 20-Mar-09, at 6:14 AM, Ben Laurie wrote:
>
>> On Fri, Mar 20, 2009 at 1:32 AM, John Bradley <john.bradley at wingaa.com>
>> wrote:
>>>
>>> I am going to vote in favor of forming the WG.
>>> I have my own deep concerns about phishing attacks.
>>> However OP's that support Infocard, x509, OTP tokens,  and
>>> other multi-factor authentication techniques should not be precluded from
>>> supporting this.
>>> I have has discussions on the discovery part of the proposed spec with
>>> the
>>> authors, and am OK with the work on that to this point.
>>> I will however vote against the final version if the popup is not at the
>>> OPs discretion via Discovery, and OPs are not required to use
>>> phishing resistant authentication in the popup.
>>
>> Like western civilisation, this would be a very good idea (Gandhi).
>> What phishing resistant authentication did you have in mind?
>
> Gee I feel a bit like a student when the master presents a pop quiz:)
>
> When we talk about unphishable there are really two qualities that tend to
> get conflated.
> 1. The ability of the attacker to get a credential.
> 2. The ability of the attacker to replay the credential against the target
> site.
>
> In general what we are looking for is a technique that will not over
> repeated attempts not give the attacker enough information to successfully
> impersonate the entity at the target site in this case the openID OP.
>
> There are a number of social engineering solutions to this problem such as
> site seal.
> My mother taught me not to say bad things about people so I will go no
> further with my opinion on the snake oil class of solution.
>
> The best solution is based on public/private key-pairs,  take your pick RSA,
> DSA,  PSEC-1, or my favorite Lamport signature. (yes there is a reason I am
> not a cryptographer)
>
> There are currently a number of OPs that offer a "conventional" x509
> approach to this:
> StartSSL, MyopenID, and Verisign will all issue you with a certificate that
> you can or in one case must use to authenticate yourself to your OP.   This
> is a free service of all three OPs, just to cut off the cost of certs
> argument people are formulating:)
>
> I consider this to be unphisable given that the attacker cannot acquire the
> private key without some major compromise to the users computer.  These and
> other services offer USB token storage for the private key, at a cost.
>
> Honestly 5 years ago I would have had this as my number 1 solution, but the
> UX and other issues make this impractical on a large scale.  Sorry if you
> are an OP planning to make your fortune on this.
>
> Today I think the UX experience for "Personal" Public Key cryptography is
> better served through Information Cards.  Same great security with a user
> interface,  and none of the x509 cert aftertaste.  The user can identify the
> selves to there OP with a personal card at MyopenID,  Linksafe, and others.
>  Verisign's PIP uses a managed card but the result is the same.
>
> The major issue with infocards is the ubiquity of the client selector.  All
> current MS products ship with one and MS provides one for XP.  The
> openSource Higgins project has them available for OSX,  Linux, and Windows.
>   I have a selector on my Iphone (don't tell Apple they will take my phone
> away)
>
> Just for a fun UCI experience people who want to can check out
> http://OpenIDbyCard.com/
>
> I am considering the possibility of adding similar functionality directly to
> a openID RP as a way of accepting a openID login without any OP.  But I
> digress into a hopeful world of true User centric authentication.
>
> Some people would claim OTP tokens to be unphishable.
> http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html
>
> Without some sort of PK infrastructure OTP tokens are not.  end of argument.
>
> Some people claim that software fingerprinting of clients combined with out
> of band second factor are effectively unphishable.  Examples include Vidoop
> and MyopenID's phone-based two factor authentication.
>
> Out of band works but has known issues with scalability and usability.
>
> I commend Vidoop and Jainrain on there efforts to make phishing resistant
> authentication practical for a large audience.
>
> Once we get into this category of phishing resistant technology things
> become less clear cut.
> I think this is the area that most debate will center.
>
> I hope I pass the quiz even if my answers are perhaps not the popular ones:)

Well, the answers certainly work for me, but don't actually address
the question I asked, which was "what phishing resistant
authentication _in the popup_ did you have in mind?"

As your response suggests, the options are ... limited. I'm sure you
are aware that Eric Sachs and I wrote about some of these options
here: http://sites.google.com/site/oauthgoog/UXFedLogin/strongauth -
but these are, IMO, interim solutions that are not the final answer
(as we state in the paper). Like you, I think the best bet out there
right now as a longer term answer is the identity selector model -
though whether what you want underneath it is really infocards is very
much open to debate.

>
> Regards
> John Bradley
>
>>
>>> If this is not done correctly it will reenforce bad habits in users,
>>>  and potentially negatively impact the perception of openID in general.
>>> I think it is a discussion worth having,  but as most people would expect
>>> I
>>> am unconvinced that popups can be used for user-name and password logins
>>> by
>>> an OP.
>>> But hey Ben Laurie cant always chime in so I will play backup grumpy
>>> security guy:)
>>
>> Thanks :-)
>>
>>> Regards
>>> John Bradley
>>> On 19-Mar-09, at 6:11 PM, general-request at openid.net wrote:
>
> <Snip>