Realm spoofing spec patch

Recordon, David drecordon at verisign.com
Fri May 25 00:54:02 UTC 2007 

Hey Josh,
Thanks for writing this up!

I'm a bit confused by the number of "SHOULD"s in this patch.

+        Relying Parties SHOULD use the Yadis protocol to publish their
+        valid return_to URLs. The relying party MAY publish this
+        information at any URL, and SHOULD publish it under the realm
+        so that providers can verify return_to URLs.

+            OpenID providers SHOULD verify that the return_to URL
+            specified in the request is an OpenID relying party
+            endpoint.

+            If verification is attempted and fails, the provider
+            SHOULD NOT send a positive assertion to that return_to
+            URL. 

It seems that this methodology only works if either:
 1) Every site (RP or proxy) publishes their return_to endpoints or that
they don't have any.
 2) An OP refuses to let the user login to a RP which doesn't publish
their return_to endpoint.

I'm unconvinced that either of those situations will actually become
prevalent and thus worried about the effectiveness of this methodology.

Using the same example from IIW, I am logging into
http://evilrp.com/return_to which is proxying itself through
http://www.google.com/translate/.  If my OP were to prompt me, "We're
unable to verify the site
(http://www.google.com/translate/?http://evilrp.com/return_to) you're
logging into, you should use caution when proceeding" I'm unsure how
many users would actually not proceed, or rather see "google.com" and
decide it is alright.

I guess since we're unable to fully resolve this issue from a technical
perspective, and no I don't have a better technical solution, I'm
wondering if this should actually be an extension to the core protocol
versus seeming like a resolution to the problem when it really doesn't
completely solve it.  In some senses I see this as a larger problem
around trust of Relying Parties.  

--David


-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Josh Hoyt
Sent: Thursday, May 24, 2007 4:19 PM
To: OpenID specs list
Subject: Realm spoofing spec patch

Hello,

I've added a section to the specification[1] about performing
verification on the realm to avoid realm spoofing. In short, realm
spoofing is the problem of exploiting a bug on a site that a user would
trust to trick them into sending their information to a site that they
would not trust. This is very similar to many phishing attacks. The
difference between this type of attack and a standard phishing attack is
that the user will (usually) only see the realm, and the realm may
actually be trusted, so even an educated user who's paying attention may
be vulnerable.

There are also (minor) changes to the section on discovering relying
parties[2].

The fix that is described is for the relying party to provide a
whitelist of URL patterns that should be usable as return_to URLs.
Relying parties should be as restrictive as possible when specifying
return_to URLs.

This is the fix that was discussed at the Internet Identity Workshop, by
all of the spec editors and several prominent members of the OpenID
community. Please review the additions. If you'd like to see the
specific changes, you can look at the diffs in revision control[3].

Josh


1.
<http://j3h.janrain.com/openid-specs-rendered/openid-authentication_svn-
327.html#return_to_verification>
2.
<http://j3h.janrain.com/openid-specs-rendered/openid-authentication_svn-
327.html#return_to_verification>
3.
<http://openid.net/svn/listing.php?repname=specifications&path=&rev=326&
sc=1>
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

More information about the specs mailing list