[security] SL comprimise

John Bradley ve7jtb at ve7jtb.com
Thu Mar 24 19:32:44 UTC 2011 

Thanks Andrew,  I think DNOA is the only RP lib doing that.

John B.
On 2011-03-24, at 3:27 PM, Andrew Arnott wrote:

> FYI, DotNetOpenAuth performs CRL checks regardless of profile if the web.config file is set correctly.  All the samples DNOA ships with have this turned on by default.  
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
> We're hiring! My team at Microsoft has 7 open slots. http://bit.ly/fZBVUo
> 
> 
> 
> On Thu, Mar 24, 2011 at 10:19 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> The obvious vulnerability would be an attacker that knew some number of openId at a given RP,   by spoofing DNS and SSL they could cain access to those accounts by setting up a Rogue IdP with the fraudulent SSL cert.  
> 
> This requires a DNS or routing venerability at the RP to be successful.
> 
> Not an easy attack.
> 
> However no attack is good.
> 
> For the FICAM openID profile we required OCSP or CRL checking for RP to mitigate this risk.
> 
> John B.
> 
> On 2011-03-24, at 1:08 PM, Mike Hanson wrote:
> 
>> Thanks for the clarification, Phillip.
>> 
>> m
>> 
>> On Mar 24, 2011, at 10:06 AM, Phillip Hallam-Baker wrote:
>> 
>>> No login servers were affected.
>>> 
>>> Several domains on which the servers are deployed were affected but not the login servers.
>>> 
>>> 
>>> 
>>> On Thu, Mar 24, 2011 at 12:48 PM, Mike Hanson <mhanson at mozilla.com> wrote:
>>> Comodo has posted a detail incident report here:
>>> http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
>>> 
>>> Several login servers were affected.
>>> 
>>> -MH
>>> 
>>> 
>>> On Mar 24, 2011, at 7:09 AM, John Bradley wrote:
>>> 
>>> >
>>> >
>>> > http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
>>> >
>>> > The browser venders blocking those certificates is nice, however there are attacks on RP that could be done with those certificates that are still open.
>>> >
>>> > In testing something like 0% of RP check OCSP or CRL, the libs don't force openSSL to so those checks (I think DNOA will do them in FICAM mode)
>>> >
>>> > So perhaps encouraging people to perform those checks would be a good idea.
>>> >
>>> > We can only hope that none of the 9 certificates cover openID OP, otherwise user accounts at RP could theoretically be compromised.
>>> >
>>> > John B.
>>> >
>>> >
>>> > _______________________________________________
>>> > security mailing list
>>> > security at lists.openid.net
>>> > http://lists.openid.net/mailman/listinfo/openid-security
>>> 
>>> _______________________________________________
>>> security mailing list
>>> security at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-security
>>> 
>>> 
>>> 
>>> -- 
>>> Website: http://hallambaker.com/
>>> 
>> 
> 
> 
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110324/ebad673f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20110324/ebad673f/attachment.p7s>

More information about the security mailing list