[OpenID] OpenID Security Issues
Allen Tom
atom at yahoo-inc.com
Sat Nov 14 02:22:21 UTC 2009
Hi All,
There were several security discussions last week at the OpenID Summit
and IIW, and it's about time that we follow up on them:
For those of you who weren't able to attend last week, some of the
presos are here:
http://wiki.openid.net/OpenIDSummit2009
And I started a wiki here:
http://wiki.openid.net/SecurityIssues
A new issue (at least to me) is the Session Swapping issue reported by
Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A potential
solution is to have the RP do something similar to a checkid_immediate
request after receiving an assertion. This would allow the RP and OP to
confirm that the assertion was actually issued by the OP to the user
that's trying to authenticate at the RP, at the cost of another round trip.
Another issue that's always discussed is Phishing. While I don't think
we will completely solve the phishing problem in the near future, there
are things that we can do now to help protect users from phishing. The
client side OpenID selectors that were demoed last week can potentially
improve both usability and security for users who have them installed.
Some applications have issues with OpenID assertions being transmitted
unencrypted via the user's browser. I believe that the Artifact Binding
WG will try to address this issue.
Anything else? It looks like there's consensus that Single Sign Out
should be deferred for the time being.
Allen
More information about the general
mailing list