[security] Must to have for an Open ID Provider
Bart van Delft
bartvandelft at yahoo.com
Tue Mar 23 13:17:20 UTC 2010
Hi Jaideep,
Hope the following helps you answering your questions.
I happen to be looking into OpenID security aspects recently, so I could name a few things that might be useful (but a context would help indeed).
Searching the internet you'll find a lot of security aspects on OpenID, however there does not appear to be a coherent / complete list somewhere.
When our project is over (end of April) we'll post a 'whitepaper' on the findings online, hoping it helps and stimulates the community - the hints below at least give you an idea of what to look for, exact details on every aspect will be in the paper.
- use a standard, widely used and known to be reasonable secure library. I do not happen to know which ones those are, but sure others do :-) See the openid website for an extensive list. Most of the following points could be included in libraries but I am not aware of that being the case. (http://openid.net/developers/libraries/)
- do not allow your provider's page to be framed. This prevents clickjacking / 'secretly' logging in users (or at least users will notice something strange is going on)
- obey a Relying Party's policy such as "the user has to 'sign in' again before granting permission" etc. as much as possible. You could also choose to use these additional security measures by default.
- use HTTPS
- keep in mind the risk of 'OpenID recycling': if the account foo at yourOP.com changes from owner, you will probably clear the data of the previous owner from your server, however the RP's won't notice and the new owner could see the data on those RP's from the previous owner - if you find a good way to handle that problem please let me know :-)
- phishing is even more of a problem than on regular login forms, so think about creating possibilities for users to set a 'personal icon', or have a 'time delayed submit button'. You could also inform your users about applications/addons such as seatBelt.
I don't know what you precisely mean by not so famous? there are e.g. myid.net and myopenid.com that are not infamous but do seem to give the user confidence in being in a secure environment.
HTH,
Bart van Delft
________________________________
From: Breno de Medeiros <breno at google.com>
To: Jaideep Khandelwal <jdk2588 at gmail.com>
Cc: openid-security at lists.openid.net
Sent: Tue, March 23, 2010 1:29:23 PM
Subject: Re: [security] Must to have for an Open ID Provider
Hi Jaideep,
Could you give some context about this request? Are you looking to put
together developer documentation/guidance for external consumption? Or
is this an internal survey?
On Tue, Mar 23, 2010 at 13:36, Jaideep Khandelwal <jdk2588 at gmail.com> wrote:
> Hello everyone,
>
> I have few queries that I need to ask ,
>
> What are the security concerns that should be kept in a mind while
> developing your own Open ID provider and what are the ways to check all the
> security aspects .
> Can some one suggest some of the NOT SO FAMOUS Open ID providers but
> providing the end users a sense of security.
> Some links and resources will be helpful and appreciated
>
> Thanks
>
> Regards
> Jaideep
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
_______________________________________________
security mailing list
security at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-security
Send instant messages to your online friends http://uk.messenger.yahoo.com
More information about the security
mailing list