<div>I don't know why you see this as a security flaw in the protocol. Your email started out as "hey, I wish a request and associated response could be tied together in my log files" so it seemed like just an inconvenience to you, and now you're talking about a security flaw. It sounds like you have multiple topics in your email now. So now that we've helped you totally address your "inconvenience" grievance (and you're welcome...?) let's move on to your security concerns (the ones that I can find in your original email...</div>
<div><br></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">Maarten said:<br><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
In the case of a failure response, however, there is a significant lack of useful information passed from the OP to the RP. This lack of useful information makes it impossible for the RP to verify that the response did originate from the OP. </blockquote>
<div><br></div><div>If it's a failure response, you're absolutely right. Anyone can forge a failure response. What would the RP do differently if it knew for sure whether the failure came from the OP or not? If it makes any difference to your RP, I'm sure we'd be interested to know what that difference would be. </div>
<div> </div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
Unfortunately for the RP, (and conveniently for an attacker), the response is sent via indirect communication (via the User Agent); so the RP has no clue whatsoever where the response came from or who crafted it. There is no association handle, no signature, no nonce, no nothing.</blockquote>
<div><br></div><div>Again, for a failure response, that's true -- unless you utilize the return_to parameter as we've described in prior emails. But what's the problem with this? Unless you have very stringent security requirements that I can't think of at the moment, since a failure response gets the user no security elevation from the RP, why would an attack do this? He would gain anything, or cause the site itself to suffer and failure responses are very cheap to process.</div>
<div> </div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<br></blockquote><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
Does that mean that to sabotage an OpenID site's authentication process, all I have to do is craft a website which, when opened by the user in a separate tab, continuously makes requests to the RP providing authentication failure responses?</blockquote>
<div><br></div><div>No, I don't think so. That wouldn't sabatoge the site's authentication process at all. Merely sending failure messages to the RP is only going to send the attacker a failed auth message from the RP in HTML as if they were a user. That won't hurt the RP aside from minimal CPU time. Legitimate users at that RP will be totally unaffected. Unless you hit the site so hard that it becomes a DoS attack, in which case OpenID isn't offering a new vulnerability at all, because as I said failure responses are cheap for the RP to process -- about as cheap as any other cheap server-side scripted page.</div>
</span></div><div><br></div><div>OpenID advocates and authors take security seriously, and they mean to improve it in future versions. To say all security features are optional is a very poor statement to make, as an authentication protocol with no required security features is ludicrous. I'll stop before ranting about that further... But perhaps you can ask additional questions (if you have any that this email doesn't answer) in a more "help me understand" attitude? </div>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Sat, Aug 21, 2010 at 2:05 PM, Maarten Billemont <span dir="ltr"><<a href="mailto:lhunath@gmail.com">lhunath@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word"><br><div><div class="im"><div>On 20 Aug 2010, at 16:17, Andrew Arnott wrote:</div><br><blockquote type="cite">I don't consider this a flaw at all. In fact you can solve it yourself today, in total compliance with the OpenID spec. <div>
<br></div><div>Use the return_to parameter to add whatever unique ID you wish was there. Then in your logs, you'll see the ID on the outgoing request (if you log it) and on the response (via the incoming HTTP indirect message). </div>
<div><br></div><div>Problem solved, right? It's totally up to the RP (you) to leverage this hidden "feature" of ways to use return_to.</div></blockquote><div><br></div></div><div>Might I ask what the wisdom behind this is?</div>
<div><br></div><div>I have the feeling OpenID is all about a way of authenticating users and exchanging identity information but utter minimal requirements to do that in a secure fashion. All features that are there to protect against known and proven attack vectors are optional. And as indicated by this thread, some attack vectors aren't even dealt with by the protocol: one would need to do silly undocumented stuff to existing parameters or add extensions to the protocol. You could say, the OpenID protocol is the exact opposite of "Secure By Default". And designing a protocol that way only encourages lazy implementations that have no regard for user privacy concerns.</div>
<div><br></div><div>Do the OpenID designers hold security in a low regard or does security come second to "ease of implementation" (frankly, a secure protocol is just as easily adopted given good reference implementations). Perhaps I'm not seeing all the reasons why OpenID was designed the way it was - can anyone shed some light?</div>
<div class="im"><br><blockquote type="cite"><div><br></div><div>In particular, DotNetOpenAuth utilizes return_to when its optional feature is activated that disables "unsolicited assertions", which guarantees that each authentication response starts with an authentication request that originated at the RP. We had a signed nonce from the RP to the return_to, and verify it when it comes back. Again, this is only if you wanted to disable unsolicited assertions deliberately for some reason.</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br><br><br><div class="gmail_quote">On Fri, Aug 20, 2010 at 2:12 AM, Maarten Billemont <span dir="ltr"><<a href="mailto:lhunath@gmail.com" target="_blank">lhunath@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex">It has always bothered me that the OpenID protocol does not assign a unique ID to requests that is required to be repeated in the request's response. This makes it annoying to cleanly identify whether a response matches a particular request; instead relying on chronology (response Y comes after request X? It must be a response to X!).<br>
<br>This is an annoyance, yet, in the case of successful authentication responses, not a disaster: The response can be signed and verified.<br><br>In the case of a failure response, however, there is a significant lack of useful information passed from the OP to the RP. This lack of useful information makes it impossible for the RP to verify that the response did originate from the OP. Unfortunately for the RP, (and conveniently for an attacker), the response is sent via indirect communication (via the User Agent); so the RP has no clue whatsoever where the response came from or who crafted it. There is no association handle, no signature, no nonce, no nothing.<br>
<br>Does that mean that to sabotage an OpenID site's authentication process, all I have to do is craft a website which, when opened by the user in a separate tab, continuously makes requests to the RP providing authentication failure responses?<br>
<br>Am I missing something here, or is the OpenID protocol really so flawed? And if it is, can I expect anyone to fix the protocol any time soon?<br><br>_______________________________________________<br>general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote></div><br></div></blockquote></div></div></div></blockquote></div><br>