You can mitigate MITM attacks by turning on DotNetOpenAuth's RequireSsl=true setting. But with or without that setting, Google uses HTTPS throughout the entire OpenID discovery and authentication process. A successful MITM attack would therefore have to poison the user's DNS server and manufacture a trusted root-signed HTTPS certificate for Google. No small task to be sure. And if he could accomplish this, a signed XRDS would not provide any added protection because that XRDS document could just be copied from the real Google server complete with signature I suspect. <div>
<br></div><div>So as long as you trust the PKI infrastructure you don't have much to worry about with Google. And if you don't trust PKI, you're correct, OpenID doesn't have a good story here.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Fri, Dec 17, 2010 at 9:24 AM, Sam Barber <span dir="ltr"><<a href="mailto:Sam.Barber@thomsons.com">Sam.Barber@thomsons.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
<p>
</p><p></p><div><p class="MsoNormal">Hi all,</p><p class="MsoNormal"> </p><p class="MsoNormal">I've been working on intergrating OpenID into our web application</p><p class="MsoNormal">using DotNetOpenAuth.</p><p class="MsoNormal">
</p><p class="MsoNormal">Our application only needs OpenID authentication and doesn't</p><p class="MsoNormal">communicate with any other google services through OAuth. Reading</p><p class="MsoNormal">through the Google documentation for OpenID it seems that the</p>
<p class="MsoNormal">Registering of an application and exchange of Keys is only available</p><p class="MsoNormal">for OAuth requests to Google Services and not OpenID.</p><p class="MsoNormal"> </p><p class="MsoNormal">Firstly, is my understanding of this correct?</p>
<p class="MsoNormal"> </p><p class="MsoNormal">If so, is there not a security risk of the Discovery of the Google</p><p class="MsoNormal">EndPoint being compromised by a man-in-the-middle attack when only</p><p class="MsoNormal">
using OpenID?</p><p class="MsoNormal"> </p><p class="MsoNormal">The only information I have found on defending against this type of</p><p class="MsoNormal">attack is that the XRDS needs to be signed in order to confirm you are</p>
<p class="MsoNormal">receiving a valid endpoint, which doesn't seem to be an option with</p><p class="MsoNormal">Google OpenID.</p><p class="MsoNormal"> </p><p class="MsoNormal">Any corrections or pointers would be much appreciated,</p>
<p class="MsoNormal"> </p><p class="MsoNormal">Cheers,</p><p class="MsoNormal">Sam B</p></div><p></p>
<p>
</p><p><a href="http://www.thomsonsonlinebenefits.com/" target="_blank"></a></p>
<p><font color="#7f7f7f" face="Arial" size="1"></font></p>
<p><font face="Arial"><font color="#7f7f7f" size="1"><img align="baseline" alt="" border="0" hspace="0"></font></font></p>
<p><font face="Arial"><font color="#7f7f7f" size="1">Sam Barber</font><br><font color="#ff9933" size="1"><strong><span style="font-size:8pt;color:#db0962">Graduate Developer</span></strong></font></font></p>
<table border="0" cellpadding="0" cellspacing="0" width="400">
<tbody>
<tr>
<td width="175"><font color="#7f7f7f" face="Arial" size="1">Thomsons Online Benefits</font></td>
<td width="225"><font color="#7f7f7f" face="Arial" size="1">M:</font></td></tr>
<tr>
<td><font color="#7f7f7f" face="Arial" size="1">Gordon House</font></td>
<td><font color="#7f7f7f" face="Arial" size="1">T: </font></td></tr>
<tr>
<td><font color="#7f7f7f" face="Arial" size="1">10 Greencoat Place</font></td>
<td><font color="#7f7f7f" face="Arial" size="1">E: <a href="mailto:Sam.Barber@thomsons.com" target="_blank">Sam.Barber@thomsons.com</a></font></td></tr>
<tr>
<td><font color="#7f7f7f" face="Arial" size="1">London SW1P 1PH</font></td>
<td><font color="#7f7f7f" face="Arial" size="1">W: <a href="http://www.thomsons.com/" target="_blank">www.thomsons.com</a></font></td></tr></tbody></table>
<p></p>
<p></p> <p></p><p></p>
<p> </p>
<p>
</p><p><a href="http://www.thomsonsonlinebenefits.com/" target="_blank"></a></p>
<p><font color="#7f7f7f" face="Arial" size="1"></font></p>
<p><font face="Arial"><font color="#7f7f7f" size="1"><img align="baseline" alt="" border="0" hspace="0"></font></font></p>
<p><font face="Arial"><font color="#7f7f7f" size="1">Sam Barber</font><br><font color="#ff9933" size="1"><strong><span style="font-size:8pt;color:#db0962">Graduate Developer</span></strong></font></font></p>
<table border="0" cellpadding="0" cellspacing="0" width="400">
<tbody>
<tr>
<td width="175"><font color="#7f7f7f" face="Arial" size="1">Thomsons Online Benefits</font></td>
<td width="225"><font color="#7f7f7f" face="Arial" size="1">M:</font></td></tr>
<tr>
<td><font color="#7f7f7f" face="Arial" size="1">Gordon House</font></td>
<td><font color="#7f7f7f" face="Arial" size="1">T: </font></td></tr>
<tr>
<td><font color="#7f7f7f" face="Arial" size="1">10 Greencoat Place</font></td>
<td><font color="#7f7f7f" face="Arial" size="1">E: <a href="mailto:Sam.Barber@thomsons.com" target="_blank">Sam.Barber@thomsons.com</a></font></td></tr>
<tr>
<td><font color="#7f7f7f" face="Arial" size="1">London SW1P 1PH</font></td>
<td><font color="#7f7f7f" face="Arial" size="1">W: <a href="http://www.thomsons.com/" target="_blank">www.thomsons.com</a></font></td></tr></tbody></table>
<p></p>
<p></p> <p></p><br><br>
<p align="center"><font style="background-color:#ffffff">This message has been scanned for malware by Websense. </font><a href="http://www.websense.com/" target="_blank"><font style="background-color:#ffffff" color="#000000">www.websense.com</font></a></p>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br></blockquote></div><br></div>