Ohhh, I see. The confusion resulted from an ambiguous reading of the reading. I read this as<br>(independent
browser window) or (popup)<br>and not as<br>(independent
(browser window or popup))<br><br>Which made it seem like somehow putting the login into a pop up window somehow made it phishing resistant.<br><br>- Jacob<br><br><br><br><div class="gmail_quote">On Wed, Mar 24, 2010 at 12:25 PM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div style="word-wrap: break-word;">The idea is to try and not provide an experience that a phisher can easily emulate to capture the users credentials.<div>
<br></div><div>If the user is redirected to the real IDP it isn't a problem. If the OP allows frames, borderless popus, the user won't be able to tell if they are being phished when a bad site displays the same thing to them.</div>
<div><br></div><div>Some people thing that the only safe thing is to do a full frame redirect and train users to look for the EV cert in the browser bar.</div><div><br></div><div>With browser redirect there is always the possibility of a bad actor. The question is how difficult is it for a user to detect.</div>
<div><br></div><div>John B.<div><div></div><div class="h5"><br><div><div>On 2010-03-23, at 6:53 PM, Jacob Bellamy wrote:</div><br><blockquote type="cite">Well, the third point listed is <br><br>"OpenID Providers MUST not allow their Login or Approval screens to be
framed by the RP. Allowing the Login or Approval screens to be framed
makes the approval flow vulnerable to <a href="http://en.wikipedia.org/wiki/Clickjacking" target="_blank">clickjacking</a>, and trains users to expect the URL Location bar to not have the OPs URL, leaving them vulnerable to phishing."<br>
<br>Framing and clickjacking are already covered. So presumably the first recommendation is trying to make a separate point.<br><br>- Jacob. <br><br><div class="gmail_quote">On Wed, Mar 24, 2010 at 11:44 AM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I think what that is getting at is that a Provider should not allow itself to be hosted in a frame. One objective being that the user can see in the address bar that they're talking to the genuine Provider and not a phishing site. Another objective being to mitigate against click-jacking attacks that iframe content is vulnerable to.<div>
<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br></div><div><div></div><div><div class="gmail_quote">On Tue, Mar 23, 2010 at 3:21 PM, Jacob Bellamy <span dir="ltr"><<a href="mailto:toarms@gmail.com" target="_blank">toarms@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Actually one thing that has always had me a bit confused about the security recommendations in the wiki is the following:<br>"OpenID Providers that use passwords to authenticate users MUST require
that their password verification form be displayed in an independent
browser window or popup, with the address bar displayed.
OpenID Providers are strongly encouraged to educate their users about
the dangers of phishing, and how to recognize the OP's login screen."<br><br>How exactly does putting the login in a pop-up help prevent phishing? <br><font color="#888888"><br>- Jacob. <br></font><div><div></div>
<div><br><div class="gmail_quote">On Wed, Mar 24, 2010 at 5:30 AM, David Recordon <span dir="ltr"><<a href="mailto:recordond@gmail.com" target="_blank">recordond@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">And take a look at <a href="http://wiki.openid.net/OpenID-Security-Best-Practices" target="_blank">http://wiki.openid.net/OpenID-Security-Best-Practices</a>.<br>
<div><div></div><div><br>
On Tue, Mar 23, 2010 at 6:58 AM, Andrew Arnott <<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>> wrote:<br>
> I'll add a few:<br>
><br>
> Make sure to include XSRF measures on decision pages (do you want to log<br>
> into [this RP]?)<br>
> Be sure to not release new attribute values to each requesting RP without<br>
> prompting the user first.<br>
> For recycled OpenIDs, use the #fragment provision allowed for in the OpenID<br>
> 2.0 spec.<br>
> Consider only allowing OpenID 2.0 RPs and disallowing 1.1 RPs. That said, I<br>
> think most of the added security of 2.0 can be created against 1.1 RPs<br>
> anyway, and DotNetOpenAuth is one such library that already does this. But<br>
> it depends on your customers, I'd say, as an argument for just 2.0 support<br>
> is to help encourage the 1.1 RPs to finally upgrade.<br>
><br>
> Although it hasn't yet been refactored as we've once discussed on this list,<br>
> <a href="http://wiki.openid.net/SecurityIssues" target="_blank">http://wiki.openid.net/SecurityIssues</a> may still be a good resource for you<br>
> or a collecting ground for the results of this thread.<br>
><br>
> --<br>
> Andrew Arnott<br>
> "I [may] not agree with what you have to say, but I'll defend to the death<br>
> your right to say it." - S. G. Tallentyre<br>
><br>
><br>
> On Tue, Mar 23, 2010 at 6:17 AM, Bart van Delft <<a href="mailto:bartvandelft@yahoo.com" target="_blank">bartvandelft@yahoo.com</a>><br>
> wrote:<br>
>><br>
>> Hi Jaideep,<br>
>><br>
>><br>
>> Hope the following helps you answering your questions.<br>
>><br>
>> I happen to be looking into OpenID security aspects recently, so I could<br>
>> name a few things that might be useful (but a context would help indeed).<br>
>> Searching the internet you'll find a lot of security aspects on OpenID,<br>
>> however there does not appear to be a coherent / complete list somewhere.<br>
>> When our project is over (end of April) we'll post a 'whitepaper' on the<br>
>> findings online, hoping it helps and stimulates the community - the hints<br>
>> below at least give you an idea of what to look for, exact details on every<br>
>> aspect will be in the paper.<br>
>><br>
>> - use a standard, widely used and known to be reasonable secure library. I<br>
>> do not happen to know which ones those are, but sure others do :-) See the<br>
>> openid website for an extensive list. Most of the following points could be<br>
>> included in libraries but I am not aware of that being the case.<br>
>> (<a href="http://openid.net/developers/libraries/" target="_blank">http://openid.net/developers/libraries/</a>)<br>
>> - do not allow your provider's page to be framed. This prevents<br>
>> clickjacking / 'secretly' logging in users (or at least users will notice<br>
>> something strange is going on)<br>
>> - obey a Relying Party's policy such as "the user has to 'sign in' again<br>
>> before granting permission" etc. as much as possible. You could also choose<br>
>> to use these additional security measures by default.<br>
>> - use HTTPS<br>
>> - keep in mind the risk of 'OpenID recycling': if the account<br>
>> <a href="mailto:foo@yourOP.com" target="_blank">foo@yourOP.com</a> changes from owner, you will probably clear the data of the<br>
>> previous owner from your server, however the RP's won't notice and the new<br>
>> owner could see the data on those RP's from the previous owner - if you find<br>
>> a good way to handle that problem please let me know :-)<br>
>> - phishing is even more of a problem than on regular login forms, so think<br>
>> about creating possibilities for users to set a 'personal icon', or have a<br>
>> 'time delayed submit button'. You could also inform your users about<br>
>> applications/addons such as seatBelt.<br>
>><br>
>> I don't know what you precisely mean by not so famous? there are e.g.<br>
>> <a href="http://myid.net/" target="_blank">myid.net</a> and <a href="http://myopenid.com/" target="_blank">myopenid.com</a> that are not infamous but do seem to give the<br>
>> user confidence in being in a secure environment.<br>
>><br>
>> HTH,<br>
>><br>
>> Bart van Delft<br>
>><br>
>><br>
>><br>
>> ________________________________<br>
>> From: Breno de Medeiros <<a href="mailto:breno@google.com" target="_blank">breno@google.com</a>><br>
>> To: Jaideep Khandelwal <<a href="mailto:jdk2588@gmail.com" target="_blank">jdk2588@gmail.com</a>><br>
>> Cc: <a href="mailto:openid-security@lists.openid.net" target="_blank">openid-security@lists.openid.net</a><br>
>> Sent: Tue, March 23, 2010 1:29:23 PM<br>
>> Subject: Re: [security] Must to have for an Open ID Provider<br>
>><br>
>> Hi Jaideep,<br>
>><br>
>> Could you give some context about this request? Are you looking to put<br>
>> together developer documentation/guidance for external consumption? Or<br>
>> is this an internal survey?<br>
>><br>
>><br>
>><br>
>> On Tue, Mar 23, 2010 at 13:36, Jaideep Khandelwal <<a href="mailto:jdk2588@gmail.com" target="_blank">jdk2588@gmail.com</a>><br>
>> wrote:<br>
>> > Hello everyone,<br>
>> ><br>
>> > I have few queries that I need to ask ,<br>
>> ><br>
>> > What are the security concerns that should be kept in a mind while<br>
>> > developing your own Open ID provider and what are the ways to check all<br>
>> > the<br>
>> > security aspects .<br>
>> > Can some one suggest some of the NOT SO FAMOUS Open ID providers but<br>
>> > providing the end users a sense of security.<br>
>> > Some links and resources will be helpful and appreciated<br>
>> ><br>
>> > Thanks<br>
>> ><br>
>> > Regards<br>
>> > Jaideep<br>
>> ><br>
>> > _______________________________________________<br>
>> > security mailing list<br>
>> > <a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
>> > <a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
>> ><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>> --Breno<br>
>><br>
>> +1 (650) 214-1007 desk<br>
>> +1 (408) 212-0135 (Grand Central)<br>
>> MTV-41-3 : 383-A<br>
>> PST (GMT-8) / PDT(GMT-7)<br>
>> _______________________________________________<br>
>> security mailing list<br>
>> <a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
>><br>
>><br>
>> Send instant messages to your online friends <a href="http://uk.messenger.yahoo.com/" target="_blank">http://uk.messenger.yahoo.com</a><br>
>> _______________________________________________<br>
>> security mailing list<br>
>> <a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
><br>
><br>
> _______________________________________________<br>
> security mailing list<br>
> <a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
><br>
><br>
_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
</div></div></blockquote></div><br>
</div></div><br>_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
<br></blockquote></div><br>
</div></div></blockquote></div><br>
_______________________________________________<br>security mailing list<br><a href="mailto:security@lists.openid.net" target="_blank">security@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-security" target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
</blockquote></div><br></div></div></div></div></blockquote></div><br>