[<prev] [next>] [day] [month] [year] [list]
Message-ID: <fcdfb4eb0803230949t41e5d6cbn4a3cc9fb0cf6da6b@mail.gmail.com>
Date: Sun, 23 Mar 2008 12:49:09 -0400
From: Kern <timetrap@...il.com>
To: "Paul Schmehl" <pauls@...allas.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenID. The future of authentication on the
web?
OpenID represents (at least to the OSS world) the unified login structure
that has been the proprietary advantage of Microsoft for so long. This will
be an excellent technology for business to use internally (who control their
own servers and services). It allows the capabilities of Single Sign On
(SSO)to find a wider audience.
I did use OpenID for a few services . . . it was nice, but I began to worry
about outages on the OpenID server. If that server goes down, I may not be
able to log on to anything. But in response to the previous statement:
In general, I am opposed to anything that encourages people to use the same
id and password across multiple domains. The potential for complete
compromise of everything you have/own/are is too great.
In part I do agree. SSO can be dangerous, but it can also benefit the end
user. As an example: I have 15 websites that I use; banking, gmail, forums,
etc. Many people ALREADY have ONE or TWO password and user name combinations
for all of these websites. If there is a compromise in the database of a
forum that I use, the recipients of this data now have my bank account login
as well as many other valid logins.
>>From my understanding this scenario would not be possible with OpenID, all
of the password hashes on stored on the OpenID servers, not in separate
databases on each website that I access. But now because of the lack of a
unified auditing (OpenID keeps track of the authentication attempts) and my
inability to change passwords on all of the sites that I access at the same
time, I have to go to every web site that I access and change my user name
and password.
As far as the general public is concerned . . . I would recommend it in
limited use cases until the technology becomes more distributed and mature.
The reliance of "One Login to Rule Them All" can be very dangerous.
Ideally the best way to go about this would be to create a replication
system (like DNS or USENET) where an update on one server is then made
available to all servers connected to the OpenID network (that network,
being worldwide, and moving transparently across political and business
borders). But then OpenID, can become a means to control access to
services. Imagine worst case scenarios ; Rouge OpenID servers, Governments
denying access to seditious users, Identity theft on a grand scale, etc.
That being said; these scenarios (and many more) will keep Full Disclosure
and Computer Security Experts in business for a long long time.
As computers move away from a standalone platform and towards an always
networked application interface, we will need this OpenID model. But it
needs a lot of work, and a lot of field testing.
--Joseph Kern
On Sun, Mar 23, 2008 at 11:50 AM, Paul Schmehl <pauls@...allas.edu> wrote:
> --On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick
>
> <stevenrakick@...oo.com> wrote:
>
> > Hello list,
> >
> > I'm curious what the group thinks about the recent
> > surge in support for OpenID across the web and the
> > impact it will have.
> >
> > 1) Beemba - http://www.beemba.com
> > 2) ClaimID - http://www.claimid.com
> > 3) MyOpenID - http://www.myopenid.com
> > 4) Many others...
> >
> > These sites are gaining in popularity quickly and with
> > the announcements of support from big players Yahoo,
> > AOL, Microsoft and Google, combined with smaller
> > web2.0 celeb-run sites like Digg, OpenID appears to
> > what will eventually be the norm.
> >
> > Thoughts?
> >
>
> In general, I am opposed to anything that encourages people to use the
same
> id and password across multiple domains. The potential for complete
> compromise of everything you have/own/are is too great.
>
> Paul Schmehl (pauls@...allas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists