[security] One time form tokens
David Fuelling
sappenin at gmail.com
Thu Apr 12 17:05:58 UTC 2007
Are these (and other best practices for OP/RP's) being compiled somewhere
(like on the wiki)? I think this has been answered, but I'm not sure.
david
On 4/12/07, Martin Atkins <mart at degeneration.co.uk> wrote:
>
>
> Some good advice there, Gareth.
>
> gaz_sec at hushmail.com wrote:
> >
> > Another useful tip for securing OpenID servers is to use referrer
> > checking, now you might think that this is useless because the
> > referrer can be faked. However in javascript it is more difficult
> > for a hacker to fake the referrer header, as headers can't be
> > easily sent with form posts so referrer checking can actually
> > increase the security of your server and prevent some CSRF.
> >
>
> Be careful when using referrer checking, though.
>
> Many people use filtering proxies or other similar software which blocks
> the Referer header or alters it in some way. Behavior I've observed for
> such software is often one of:
> * Don't send the Referer header at all.
> * Set the Referer to be whatever URL is being requested.
> * Set the Referer to be the root of the site to which the request is
> being sent.
>
> So if you're going to do referrer checking, it's best to firstly limit
> your checking to only ensuring that the hostname portion of the URL is
> correct, and also to allow the request through if the Referer header is
> completely absent. That will cover you for all of the above odd-ball
> cases without reducing the advantages of the referrer checking.
>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20070412/ab9aca4b/attachment-0002.htm>
More information about the security
mailing list