[OpenID] OpenID Security Issues

Ashish Jain email at ashishjain.com
Sun Nov 15 03:14:06 UTC 2009 

Allen,
Here is a link to some more description around the issues:
https://sites.google.com/site/openidreview/issues

Here is a link to the resources/papers that we mentioned:
https://sites.google.com/site/openidreview/resources

I haven't been able to find notes from Breno's IIW session. Here is a link
to the whiteboard picture: http://www.flickr.com/photos/_nat/4075945912/

Thanks,
-Ashish



On Fri, Nov 13, 2009 at 7:22 PM, Allen Tom <atom at yahoo-inc.com> wrote:

> Hi All,
>
> There were several security discussions last week at the OpenID Summit and
> IIW, and it's about time that we follow up on them:
>
> For those of you who weren't able to attend last week, some of the presos
> are here:
> http://wiki.openid.net/OpenIDSummit2009
>
> And I started a wiki here:
> http://wiki.openid.net/SecurityIssues
>
> A new issue (at least to me) is the Session Swapping issue reported by
> Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A potential solution
>  is to have the RP do something similar to a checkid_immediate request after
> receiving an assertion. This would allow the RP and OP to confirm that the
> assertion was actually issued by the OP to the user that's trying to
> authenticate at the RP, at the cost of another round trip.
>
> Another issue that's always discussed is Phishing. While I don't think we
> will completely solve the phishing problem in the near future, there are
> things that we can do now to help protect users from phishing. The client
> side OpenID selectors that were demoed last week can potentially improve
> both usability and security for users who have them installed.
>
> Some applications have issues with OpenID assertions being transmitted
> unencrypted via the user's browser. I believe that the Artifact Binding WG
> will try to address this issue.
>
> Anything else? It looks like there's consensus that Single Sign Out should
> be deferred for the time being.
>
> Allen
>
>
>
>
>
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091114/52443c0b/attachment.htm>

More information about the general mailing list