[security] Please convince me not to ban SSL (OP's)

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri May 8 07:29:58 UTC 2009 

On 05/08/2009 07:27 AM, SitG Admin:
> I've been trying to go from "reasonable security" to "maximum 
> security", and it's driving me up the proverbial wall. Spoofing (of 
> DNS), where SSL is absent, has two forms that I can see: one is to 
> spoof the OP client-side, and that much can I can at least hold users 
> responsible for - they need to look for that lock icon, and respond 
> cautiously to bad certs. But it's *RP*-side that gets more 
> complicated, if the URI itself is not served over SSL, because if the 
> *server* gets fooled it will happily allow the "user" to authenticate 
> with a new OP that has a perfectly valid and legitimate cert. So, 
> while I'm not worried about a user giving away the credentials with 
> their OP to an attacker, I *am* worried about an attacker posing as 
> the user and tricking my server into accepting that claim.
>
> If the URI doesn't have SSL, it seems somewhat less than useless to 
> put effort into supporting SSL for OP's. If the attacker is going to 
> go to all the trouble of spoofing my server to pretend to be an OP, 
> they might as well do it for the URI, in which case SSL won't help.
>
>

It's hard to spoof the delegation and server if secured over an SSL and 
chaining to a "trusted" root is enforced. A DNS attack on your RP would 
then fail which would not if the OP doesn't enforce SSL. This scenario 
is rather easy once the DNS server(s) are poisoned.


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090508/85d9ea85/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090508/85d9ea85/attachment-0002.bin>

More information about the security mailing list