lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 23 Mar 2008 14:52:53 +0000
From: "Petko D. Petkov" <pdp.gnucitizen@...glemail.com>
To: "Steven Rakick" <stevenrakick@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenID. The future of authentication on the
	web?

Hi Steven,

I guess most 1337 hax0rs will flame you on this list. There are good
security blogs you can follow and learn from instead. Full-disclosure
is for rants and bashing only!

I can point you to some articles that I wrote regarding OpenID,
however, let me share my thoughts quickly as that will save you some
time and of course if you are still curious you can go research
further.

First of all, OpenID is a very simple but rather useful technology.
With OpenID you have only one account, your ID, which you can use
everywhere where the OpenID technology is supported. It is not clear
whether this setup is more secure from what we have at the moment
(every site forces you to register unique username/password pair) but
it is definitely more convenient. The first argument "for" OpenID is
that the more you share your secrets, credits card information,
usernames, password, the higher the chances this information to be
leaked or stolen. On the other hand, OpenID is prone to phishing
attacks so user education is required.

Think about OpenID as the equivalent of PayPal for authentication. In
theory, it is more secure to pay through paypal as you are not sharing
your credit card information with everyone else but a single provider.

I am all "for" OpenID as you can spend good time on securing a single
system. If the OpenID provider is not vulnerable to common Web attacks
and it provides good privacy mechanisms such as SSL and the top of
which are build good authentication features such as one-time tokens,
etc.... then OpenID is the preferable choice. Keep in mind though,
that if your OpenID account is hacked, the attacker will be able to
login as you anywhere they want. This is the main concern and
disadvantage.

pdp

P.S. dear list, the only reason I am not priv-massaging Steven is
because I believe that there are other people who are interested in
this topic. So, instead of wasting valuable resources and energy
answering everyone individually, I've decided to do it once hoping
that this message will be seen by others. Thanks!

On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick <stevenrakick@...oo.com> wrote:
> Hello list,
>
>  I'm curious what the group thinks about the recent
>  surge in support for OpenID across the web and the
>  impact it will have.
>
>  1) Beemba - http://www.beemba.com
>  2) ClaimID - http://www.claimid.com
>  3) MyOpenID - http://www.myopenid.com
>  4) Many others...
>
>  These sites are gaining in popularity quickly and with
>  the announcements of support from big players Yahoo,
>  AOL, Microsoft and Google, combined with smaller
>  web2.0 celeb-run sites like Digg, OpenID appears to
>  what will eventually be the norm.
>
>  Thoughts?
>
>  I've also noticed that many of these sites are
>  bundling Information Card support (CardSpace on
>  Windows). Sounds like a good idea as it compliments
>  OpenID and helps address some weaknesses.
>
>  Again, any thoughts?
>
>  I'm really just interested in a dialog.
>
>  -sr
>
>
>       ____________________________________________________________________________________
>  Never miss a thing.  Make Yahoo your home page.
>  http://www.yahoo.com/r/hs
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



-- 

Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters

gnucitizen.org | hakiri.org | spinhunters.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ