[OpenID] OpenID Registering with Google - Securing Discovery
Andrew Arnott
andrewarnott at gmail.com
Fri Dec 17 22:00:08 UTC 2010
You can mitigate MITM attacks by turning on DotNetOpenAuth's RequireSsl=true
setting. But with or without that setting, Google uses HTTPS throughout the
entire OpenID discovery and authentication process. A successful MITM
attack would therefore have to poison the user's DNS server and manufacture
a trusted root-signed HTTPS certificate for Google. No small task to be
sure. And if he could accomplish this, a signed XRDS would not provide any
added protection because that XRDS document could just be copied from the
real Google server complete with signature I suspect.
So as long as you trust the PKI infrastructure you don't have much to worry
about with Google. And if you don't trust PKI, you're correct, OpenID
doesn't have a good story here.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Fri, Dec 17, 2010 at 9:24 AM, Sam Barber <Sam.Barber at thomsons.com> wrote:
> Hi all,
>
>
>
> I've been working on intergrating OpenID into our web application
>
> using DotNetOpenAuth.
>
>
>
> Our application only needs OpenID authentication and doesn't
>
> communicate with any other google services through OAuth. Reading
>
> through the Google documentation for OpenID it seems that the
>
> Registering of an application and exchange of Keys is only available
>
> for OAuth requests to Google Services and not OpenID.
>
>
>
> Firstly, is my understanding of this correct?
>
>
>
> If so, is there not a security risk of the Discovery of the Google
>
> EndPoint being compromised by a man-in-the-middle attack when only
>
> using OpenID?
>
>
>
> The only information I have found on defending against this type of
>
> attack is that the XRDS needs to be signed in order to confirm you are
>
> receiving a valid endpoint, which doesn't seem to be an option with
>
> Google OpenID.
>
>
>
> Any corrections or pointers would be much appreciated,
>
>
>
> Cheers,
>
> Sam B
>
> <http://www.thomsonsonlinebenefits.com/>
>
> Sam Barber
> *Graduate Developer*
> Thomsons Online Benefits M: Gordon House T: 10 Greencoat Place E:
> Sam.Barber at thomsons.com London SW1P 1PH W: www.thomsons.com
>
>
>
> <http://www.thomsonsonlinebenefits.com/>
>
> Sam Barber
> *Graduate Developer*
> Thomsons Online Benefits M: Gordon House T: 10 Greencoat Place E:
> Sam.Barber at thomsons.com London SW1P 1PH W: www.thomsons.com
>
>
>
> This message has been scanned for malware by Websense. www.websense.com
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20101217/78db15d3/attachment.html>
More information about the general
mailing list