[security] SL comprimise
John Bradley
ve7jtb at ve7jtb.com
Thu Mar 24 17:19:59 UTC 2011
The obvious vulnerability would be an attacker that knew some number of openId at a given RP, by spoofing DNS and SSL they could cain access to those accounts by setting up a Rogue IdP with the fraudulent SSL cert.
This requires a DNS or routing venerability at the RP to be successful.
Not an easy attack.
However no attack is good.
For the FICAM openID profile we required OCSP or CRL checking for RP to mitigate this risk.
John B.
On 2011-03-24, at 1:08 PM, Mike Hanson wrote:
> Thanks for the clarification, Phillip.
>
> m
>
> On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote:
>
>> No login servers were affected.
>>
>> Several domains on which the servers are deployed were affected but not the login servers.
>>
>>
>>
>> On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <mhanson at mozilla.com> wrote:
>> Comodo has posted a detail incident report here:
>> http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
>>
>> Several login servers were affected.
>>
>> -MH
>>
>>
>> On Mar 24, 2011, at 7:09 AM, John Bradley wrote:
>>
>> >
>> >
>> > http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
>> >
>> > The browser venders blocking those certificates is nice, however there are attacks on RP that could be done with those certificates that are still open.
>> >
>> > In testing something like 0% of RP check OCSP or CRL, the libs don't force openSSL to so those checks (I think DNOA will do them in FICAM mode)
>> >
>> > So perhaps encouraging people to perform those checks would be a good idea.
>> >
>> > We can only hope that none of the 9 certificates cover openID OP, otherwise user accounts at RP could theoretically be compromised.
>> >
>> > John B.
>> >
>> >
>> > _______________________________________________
>> > security mailing list
>> > security at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-security
>>
>> _______________________________________________
>> security mailing list
>> security at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-security
>>
>>
>>
>> --
>> Website: http://hallambaker.com/
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110324/1240d288/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110324/1240d288/attachment-0001.p7s>
More information about the security
mailing list