lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 23 Mar 2008 12:49:09 -0400
From: Kern <timetrap@...il.com>
To: "Paul Schmehl" <pauls@...allas.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenID. The future of authentication on the
	web?

OpenID represents (at least to the OSS world) the unified login structure
that has been the proprietary advantage of Microsoft for so long.  This will
be an excellent technology for business to use internally (who control their
own servers and services).  It allows the capabilities of Single Sign On
(SSO)to find a wider audience.

I did use OpenID for a few services  . . . it was nice, but I began to worry
about outages on the OpenID server.  If that server goes down, I may not be
able to log on to anything.  But in response to the previous statement:

In general, I am opposed to anything that encourages people to use the same
id and password across multiple domains.  The potential for complete
compromise of everything you have/own/are is too great.


In part I do agree. SSO can be dangerous, but it can also benefit the end
user. As an example: I have 15 websites that I use; banking, gmail, forums,
etc. Many people ALREADY have ONE or TWO password and user name combinations
for all of these websites.  If there is a compromise in the database of a
forum that I use, the recipients of this data now have my bank account login
as well as many other valid logins.

>>From my understanding this scenario would not be possible with OpenID, all
of the password hashes on stored on the OpenID servers, not in separate
databases on each website that I access.  But now because of the lack of a
unified auditing (OpenID keeps track of the authentication attempts) and my
inability to change passwords on all of the sites that I access at the same
time, I have to go to every web site that I access and change my user name
and password.

As far as the general public is concerned . . . I would recommend it in
limited use cases until the technology becomes more distributed and mature.
 The reliance of "One Login to Rule Them All" can be very dangerous.

Ideally the best way to go about this would be to create a replication
system (like DNS or USENET) where an update on one server is then made
available to all servers connected to the OpenID network (that network,
being worldwide, and moving transparently across political and business
borders).  But then OpenID, can become a means to control access to
services. Imagine worst case scenarios ; Rouge OpenID servers, Governments
denying access to seditious users, Identity theft on a grand scale, etc.

That being said; these scenarios (and many more) will keep Full Disclosure
and Computer Security Experts in business for a long long time.

As computers move away from a standalone platform and towards an always
networked application interface, we will need this OpenID model.  But it
needs a lot of work, and a lot of field testing.

--Joseph Kern

On Sun, Mar 23, 2008 at 11:50 AM, Paul Schmehl <pauls@...allas.edu> wrote:
> --On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick
>
> <stevenrakick@...oo.com> wrote:
>
> > Hello list,
> >
> > I'm curious what the group thinks about the recent
> > surge in support for OpenID across the web and the
> > impact it will have.
> >
> > 1) Beemba - http://www.beemba.com
> > 2) ClaimID - http://www.claimid.com
> > 3) MyOpenID - http://www.myopenid.com
> > 4) Many others...
> >
> > These sites are gaining in popularity quickly and with
> > the announcements of support from big players Yahoo,
> > AOL, Microsoft and Google, combined with smaller
> > web2.0 celeb-run sites like Digg, OpenID appears to
> > what will eventually be the norm.
> >
> > Thoughts?
> >
>
> In general, I am opposed to anything that encourages people to use the
same
> id and password across multiple domains.  The potential for complete
> compromise of everything you have/own/are is too great.
>
> Paul Schmehl (pauls@...allas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ