[OpenID] OpenID Security Issues

Tue Nov 17 01:07:03 UTC 2009

Can we try to keep all this documentation on the actual OpenID wiki?

Is there a reason that this OpenID Review Google Site was created?

I just want to 1) keep things in a convenient, central place and 2) have a
standard means to report these issues.

Also, using a non-openid.net domain seems, well, kind of like a missed
opportunity.

Chris

On Mon, Nov 16, 2009 at 9:48 AM, Breno de Medeiros <breno at google.com> wrote:

> Mike Hanson took the notes and shared them with Jeff Hodges and
> myself. I thought he had also sent them to the IIW note repository,
> but if he did not, here is a public accessible copy:
>
> http://docs.google.com/View?id=dg5g3zns_133c4ddn7hr
>
> On Sat, Nov 14, 2009 at 7:14 PM, Ashish Jain <email at ashishjain.com> wrote:
> > Allen,
> > Here is a link to some more description around the issues:
> > https://sites.google.com/site/openidreview/issues
> >
> > Here is a link to the resources/papers that we mentioned:
> > https://sites.google.com/site/openidreview/resources
> >
> > I haven't been able to find notes from Breno's IIW session. Here is a
> link
> > to the whiteboard picture: http://www.flickr.com/photos/_nat/4075945912/
> >
> > Thanks,
> > -Ashish
> >
> >
> >
> > On Fri, Nov 13, 2009 at 7:22 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> >>
> >> Hi All,
> >>
> >> There were several security discussions last week at the OpenID Summit
> and
> >> IIW, and it's about time that we follow up on them:
> >>
> >> For those of you who weren't able to attend last week, some of the
> presos
> >> are here:
> >> http://wiki.openid.net/OpenIDSummit2009
> >>
> >> And I started a wiki here:
> >> http://wiki.openid.net/SecurityIssues
> >>
> >> A new issue (at least to me) is the Session Swapping issue reported by
> >> Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A potential
> solution
> >>  is to have the RP do something similar to a checkid_immediate request
> after
> >> receiving an assertion. This would allow the RP and OP to confirm that
> the
> >> assertion was actually issued by the OP to the user that's trying to
> >> authenticate at the RP, at the cost of another round trip.
> >>
> >> Another issue that's always discussed is Phishing. While I don't think
> we
> >> will completely solve the phishing problem in the near future, there are
> >> things that we can do now to help protect users from phishing. The
> client
> >> side OpenID selectors that were demoed last week can potentially improve
> >> both usability and security for users who have them installed.
> >>
> >> Some applications have issues with OpenID assertions being transmitted
> >> unencrypted via the user's browser. I believe that the Artifact Binding
> WG
> >> will try to address this issue.
> >>
> >> Anything else? It looks like there's consensus that Single Sign Out
> should
> >> be deferred for the time being.
> >>
> >> Allen
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> general mailing list
> >> general at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-general
> >
> >
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
> >
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>

-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091116/8f323b2b/attachment-0001.htm>