[OpenID] OpenID Security Issues
Ashish Jain
email at ashishjain.com
Tue Nov 17 01:14:10 UTC 2009
It was created as an interim measure.
+1 to moving the contents/links to the main wiki.
-Ashish
On Mon, Nov 16, 2009 at 6:07 PM, Chris Messina <chris.messina at gmail.com>wrote:
> Can we try to keep all this documentation on the actual OpenID wiki?
>
> Is there a reason that this OpenID Review Google Site was created?
>
> I just want to 1) keep things in a convenient, central place and 2) have a
> standard means to report these issues.
>
> Also, using a non-openid.net domain seems, well, kind of like a missed
> opportunity.
>
> Chris
>
>
> On Mon, Nov 16, 2009 at 9:48 AM, Breno de Medeiros <breno at google.com>wrote:
>
>> Mike Hanson took the notes and shared them with Jeff Hodges and
>> myself. I thought he had also sent them to the IIW note repository,
>> but if he did not, here is a public accessible copy:
>>
>> http://docs.google.com/View?id=dg5g3zns_133c4ddn7hr
>>
>> On Sat, Nov 14, 2009 at 7:14 PM, Ashish Jain <email at ashishjain.com>
>> wrote:
>> > Allen,
>> > Here is a link to some more description around the issues:
>> > https://sites.google.com/site/openidreview/issues
>> >
>> > Here is a link to the resources/papers that we mentioned:
>> > https://sites.google.com/site/openidreview/resources
>> >
>> > I haven't been able to find notes from Breno's IIW session. Here is a
>> link
>> > to the whiteboard picture:
>> http://www.flickr.com/photos/_nat/4075945912/
>> >
>> > Thanks,
>> > -Ashish
>> >
>> >
>> >
>> > On Fri, Nov 13, 2009 at 7:22 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>> >>
>> >> Hi All,
>> >>
>> >> There were several security discussions last week at the OpenID Summit
>> and
>> >> IIW, and it's about time that we follow up on them:
>> >>
>> >> For those of you who weren't able to attend last week, some of the
>> presos
>> >> are here:
>> >> http://wiki.openid.net/OpenIDSummit2009
>> >>
>> >> And I started a wiki here:
>> >> http://wiki.openid.net/SecurityIssues
>> >>
>> >> A new issue (at least to me) is the Session Swapping issue reported by
>> >> Ashish Jain, Andrew Nash, and Jeff Hodges of PayPal. A potential
>> solution
>> >> is to have the RP do something similar to a checkid_immediate request
>> after
>> >> receiving an assertion. This would allow the RP and OP to confirm that
>> the
>> >> assertion was actually issued by the OP to the user that's trying to
>> >> authenticate at the RP, at the cost of another round trip.
>> >>
>> >> Another issue that's always discussed is Phishing. While I don't think
>> we
>> >> will completely solve the phishing problem in the near future, there
>> are
>> >> things that we can do now to help protect users from phishing. The
>> client
>> >> side OpenID selectors that were demoed last week can potentially
>> improve
>> >> both usability and security for users who have them installed.
>> >>
>> >> Some applications have issues with OpenID assertions being transmitted
>> >> unencrypted via the user's browser. I believe that the Artifact Binding
>> WG
>> >> will try to address this issue.
>> >>
>> >> Anything else? It looks like there's consensus that Single Sign Out
>> should
>> >> be deferred for the time being.
>> >>
>> >> Allen
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> general mailing list
>> >> general at lists.openid.net
>> >> http://lists.openid.net/mailman/listinfo/openid-general
>> >
>> >
>> > _______________________________________________
>> > general mailing list
>> > general at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-general
>> >
>> >
>>
>>
>>
>> --
>> --Breno
>>
>> +1 (650) 214-1007 desk
>> +1 (408) 212-0135 (Grand Central)
>> MTV-41-3 : 383-A
>> PST (GMT-8) / PDT(GMT-7)
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>
>
>
> --
> Chris Messina
> Open Web Advocate
>
> Personal: http://factoryjoe.com
> Follow me on Twitter: http://twitter.com/chrismessina
>
> Citizen Agency: http://citizenagency.com
> Diso Project: http://diso-project.org
> OpenID Foundation: http://openid.net
>
> This email is: [ ] shareable [X] ask first [ ] private
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091116/ee18ba1e/attachment.htm>
More information about the general
mailing list