<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Peter -<br>
<br>
As I've said, many consumer oriented website allow their users to reset
their passwords (equivalent to logging in) via email, without any
additional proofing points. <br>
<br>
However, many sites require multiple proofing points to reset the
password, including the answers to secret questions, specific details
about the user's account, and a verified email address.<br>
<br>
Mission Critical enterprise applications usually have much higher
security requirements than consumer facing web applications. It would
certainly seem odd to me if an enterprise application lets its users
login via a simple password reset email sent to a free webmail provider
without any additional proofing points.<br>
<br>
Allen<br>
<br>
<br>
Peter Williams wrote:
<blockquote
cite="mid:7FD5B754D66D9A489C584ECA4B32418F1CA58C31@simmbox01.rapnt.com"
type="cite">
<pre wrap="">Lets work with this theory.
Ceo of fortune 100 company loses his/her password to the intranet app storing the pending quarterly reports. The app normally allows ceo to make comments on the draft financial statement, using an openid provisioned by the enterprise op. Ceo uses openid auth processes to seek password reset.
Should an auditor qualify this use of openid (given the heady obligations placed on officers of public companies to protect disclosures) as inappropriate per se, or not?
Or, would it depend on the particular implementation?
-----Original Message-----
From: Allen Tom <a class="moz-txt-link-rfc2396E" href="mailto:atom@yahoo-inc.com"><atom@yahoo-inc.com></a>
Sent: Friday, August 08, 2008 4:01 PM
To: Ben Laurie <a class="moz-txt-link-rfc2396E" href="mailto:benl@google.com"><benl@google.com></a>; <a class="moz-txt-link-abbreviated" href="mailto:security@openid.net">security@openid.net</a> <a class="moz-txt-link-rfc2396E" href="mailto:security@openid.net"><security@openid.net></a>; OpenID List <a class="moz-txt-link-rfc2396E" href="mailto:general@openid.net"><general@openid.net></a>
Subject: Re: [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
OpenID is really just a protocol which allows a user to prove access to
an identifier, and is conceptually identical to the Password Reset via
email flow deployed by countless websites today.
Many websites allow users to login either by entering their password, or
by proving ownership of the email address associated with the account
(usually known as Password Reset via email).
As best described by Simon Willison, logging in with an OpenID is really
the same thing as allowing Password Reset via email, just with a much
better user interface. In both cases, the Relying Party requires the
user to prove access to an external account. Although I am certainly not
a crypto or email expert, I believe that Password Reset use case is
equally vulnerable to this DNS/HTTPS vulnerability, if not more so, as
the Relying Party could be tricked into sending the password reset email
to the attacker.
Again, as many others on this list have pointed out, I am perplexed as
to why OpenID is being singled out for this vulnerability with DNS and
HTTPS.
Allen
Ben Laurie wrote:
</pre>
<blockquote type="cite">
<pre wrap="">OpenID is "singled out" because I am not talking about a potential
problem but an actual problem.
</pre>
</blockquote>
<pre wrap=""><!---->
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</body>
</html>