[OpenID] OpenID Security Issues

Allen Tom atom at yahoo-inc.com
Sun Nov 15 18:15:13 UTC 2009 

Hi Ashish,

I updated the OpenID wiki with links to the openidreview Google docs site.

 From a specs perspective, do you have an opinion as to which issues 
should be addressed in the next 6 months?

Obviously some issues probably can never be resolved via an OpenID spec, 
for instance CSRF/XSS on either the OP or RP is a problem that is much 
broader than just OpenID.

I think Session Swapping issue should probably be resolved in the spec, 
as it's very similar to Login CSRF for sites that authenticate users 
with a username/password.

I believe that the Replay Attacks scenario could probably be resolved by 
the Artifact Binding working group.

The Diffie-Hellman issue is already in scope for OpenID 2.1. (I'm in 
favor for removing DH)
http://wiki.openid.net/OpenID_Authentication_2_1

Thoughts?
Allen




Ashish Jain wrote:
> Allen,
> Here is a link to some more description around the issues: 
> https://sites.google.com/site/openidreview/issues
>
> Here is a link to the resources/papers that we mentioned: 
> https://sites.google.com/site/openidreview/resources
>
> I haven't been able to find notes from Breno's IIW session. Here is a 
> link to the whiteboard picture: 
> http://www.flickr.com/photos/_nat/4075945912/
>
> Thanks,
> -Ashish
>
>
>
> On Fri, Nov 13, 2009 at 7:22 PM, Allen Tom <atom at yahoo-inc.com 
> <mailto:atom at yahoo-inc.com>> wrote:
>
>     Hi All,
>
>     There were several security discussions last week at the OpenID
>     Summit and IIW, and it's about time that we follow up on them:
>
>     For those of you who weren't able to attend last week, some of the
>     presos are here:
>     http://wiki.openid.net/OpenIDSummit2009
>
>     And I started a wiki here:
>     http://wiki.openid.net/SecurityIssues
>
>     A new issue (at least to me) is the Session Swapping issue
>     reported by Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A
>     potential solution  is to have the RP do something similar to a
>     checkid_immediate request after receiving an assertion. This would
>     allow the RP and OP to confirm that the assertion was actually
>     issued by the OP to the user that's trying to authenticate at the
>     RP, at the cost of another round trip.
>
>     Another issue that's always discussed is Phishing. While I don't
>     think we will completely solve the phishing problem in the near
>     future, there are things that we can do now to help protect users
>     from phishing. The client side OpenID selectors that were demoed
>     last week can potentially improve both usability and security for
>     users who have them installed.
>
>     Some applications have issues with OpenID assertions being
>     transmitted unencrypted via the user's browser. I believe that the
>     Artifact Binding WG will try to address this issue.
>
>     Anything else? It looks like there's consensus that Single Sign
>     Out should be deferred for the time being.
>
>     Allen
>
>
>
>
>
>
>
>
>     _______________________________________________
>     general mailing list
>     general at lists.openid.net <mailto:general at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-general
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091115/0ce150fa/attachment-0001.htm>

More information about the general mailing list