[security] SL comprimise
Andrew Arnott
andrewarnott at gmail.com
Thu Mar 24 19:27:44 UTC 2011
FYI, DotNetOpenAuth performs CRL checks regardless of profile if the
web.config file is set correctly. All the samples DNOA ships with have this
turned on by default.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
We're hiring! My team at Microsoft has 7 open slots. http://bit.ly/fZBVUo
On Thu, Mar 24, 2011 at 10:19 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> The obvious vulnerability would be an attacker that knew some number of
> openId at a given RP, by spoofing DNS and SSL they could cain access to
> those accounts by setting up a Rogue IdP with the fraudulent SSL cert.
>
> This requires a DNS or routing venerability at the RP to be successful.
>
> Not an easy attack.
>
> However no attack is good.
>
> For the FICAM openID profile we required OCSP or CRL checking for RP to
> mitigate this risk.
>
> John B.
>
> On 2011-03-24, at 1:08 PM, Mike Hanson wrote:
>
> Thanks for the clarification, Phillip.
>
> m
>
> On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote:
>
> No login servers were affected.
>
> Several domains on which the servers are deployed were affected but not the
> login servers.
>
>
>
> On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <mhanson at mozilla.com> wrote:
>
>> Comodo has posted a detail incident report here:
>> http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
>>
>> Several login servers were affected.
>>
>> -MH
>>
>>
>> On Mar 24, 2011, at 7:09 AM, John Bradley wrote:
>>
>> >
>> >
>> >
>> http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
>> >
>> > The browser venders blocking those certificates is nice, however there
>> are attacks on RP that could be done with those certificates that are still
>> open.
>> >
>> > In testing something like 0% of RP check OCSP or CRL, the libs don't
>> force openSSL to so those checks (I think DNOA will do them in FICAM mode)
>> >
>> > So perhaps encouraging people to perform those checks would be a good
>> idea.
>> >
>> > We can only hope that none of the 9 certificates cover openID OP,
>> otherwise user accounts at RP could theoretically be compromised.
>> >
>> > John B.
>> >
>> >
>> > _______________________________________________
>> > security mailing list
>> > security at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-security
>>
>> _______________________________________________
>> security mailing list
>> security at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-security
>>
>
>
>
> --
> Website: http://hallambaker.com/
>
>
>
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110324/eeb41c7b/attachment.html>
More information about the security
mailing list