lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Mar 2008 11:02:42 -0400 From: Abe Getchell <me@...getchell.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: OpenID. The future of authentication on the web? Wanted the below to go to the list. - Abe Getchell me@...getchell.com http://abegetchell.com/ -------- Forwarded Message -------- > From: Abe Getchell <me@...getchell.com> > Reply-To: me@...getchell.com > To: Paul Schmehl <pauls@...allas.edu> > Subject: Re: [Full-disclosure] OpenID. The future of authentication on > the web? > Date: Mon, 24 Mar 2008 10:27:48 -0400 > > On Sun, 2008-03-23 at 17:37 -0500, Paul Schmehl wrote: > > Yes, and convenience is often the enemy of security. > > Convenience is not necessarily the enemy of security, rather a fine line > exists between usability (of which convenience is a component) and > security. What is considered an acceptable risk when balancing the two > is a personal view point or company policy. > > > However, with OpenID, all I have to do is figure out how to capture your > > credentials (which does not require that I compromise OpenID), and I can > > own everything that you own. At least with the disparate systems we have > > now you only get those things where I've been foolish enough to use the > > same credentials. Even then you have to figure out what those systems > > are. With OpenID I simply try every site that uses OpenID, trivial to do > > programmatically. > > Let's compare OpenID and your home security. The OpenID technology is > much like the key/lock combination on the external door(s) of your home. > You have one key (username/password) that allows only you access to your > entire home and all of the belongings inside (personal information). > Having separate lockable doors which require a different key between > each room in your home is comparable to having a separate > username/password for every website to which you have access. The > differences in usability and security, in both cases, are obvious. You > trust the security of your belongings and family to the single key/lock > combination on the front of your home, why wouldn't you trust the > security of your personal information online to a comparable system? A > credit report is much easier to clean up than the blood of a family > member. Extreme and gruesome, yes, but there's truth in that statement. > > > The problem is, I have to trust the OpenID provide to both secure his/her > > systems and hire trustworthy help. I have to do the same locally, but I > > have a great deal more control and ability to monitor. > > When was the last time you had a copy of your key made at the local > hardware store? How do you know they are not making an extra copy? Did > they do a background check on the individual who is making the copy? > What about the previous owners or renters of your home? Did the person > who owned or rented the home previously return or destroy the keys? Did > they make any copies and give them to anyone else? Did the person that > made those copies make any extras? You have less control than you think. > > I understand your concerns in concept and appreciate the paranoia. It's > what makes good security people good security people. When it comes down > to it, though, you have to take on a certain amount of risk to make a > system usable and available by end-users. I really hope that the > industry starts to center their discussions about this technology around > mitigating these risks rather than simply stating that the idea is a bad > one. > > - > Abe Getchell > me@...getchell.com > http://abegetchell.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists