lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <184929.37308.qm@web45107.mail.sp1.yahoo.com>
Date: Mon, 24 Mar 2008 07:43:27 -0700 (PDT)
From: Steven Rakick <stevenrakick@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenID. The future of authentication on the
	web?

Let's be realistic here. It's not about the technical
feasibility, it's about an open standard people trust
and have bought into. This is what Information Cards
are in my mind, much the same as OpenID. 

Sure you could go out and create an extension to serve
the same purpose in your own way, but who would trust
it? I mean PDP is known for javascript port scanning
via XSS (i know you've done more but...), not
authentication.

My point is simple. With OpenID + Information Cards
much of the security concerns/weaknesses (phishing,
passwords theft/loss) around OpenID as a protocol are
addressed. Sure you still have to trust the provider
(or write your own), but the implementation can be
secure, open and publically accessible using currently
available and supported web technologies. Beemba and
MyOpenID currently do this.

BTW, Firefox 3 will have support for Information Cards
by default and an extension is available for Firefox 2
at Codeplex.

-sr

On Mon, Mar 24, 2008 at 5:25 AM, Petko D. Petkov
<pdp.gnucitizen@...glemail.com> wrote:
> Let's put it this way,
> 
> It is easy to prevent phishing attacks against
OpenID on the
> client-side with browser extensions. In fact, I
think that Firefox
> will make this feature a default in their upcoming
versions. It could
> work exactly the same as the current trusted
certificate authorities
> every single web browser comes with. You will have a
list of trusted
> OpenID providers domains which are also
cross-matched with their SSL
> certificates and URLs. Done!
> 
> If firefox is not planning to implement this
feature, heck I will code
> it myself. This is a hello world XUL extension.
> 
> pdp
> 
> 
> On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick
<stevenrakick@...oo.com> wrote:
> > Many of you have brought up that OpenID is
vulnerable
> >  to phishing and have highlighted weaknesses
specific
> >  traditional username/password authentication.
> >
> >  This was the main reason I bought up Information
Cards
> >  in my original post. I've noticed that Beemba
> >  (http://www.beemba.com) and MyOpenID
> >  (http://www.myopenid.com) have both implemented
> >  Information Cards as an authentication option.
> >
> >  Good idea?
> >
> >  It seems to me that if you were to rely on
Information
> >  Cards as opposed to username/password the
phishing
> >  angle is mitigated. Is this not the case?
> >
> >  -sr
> >
> >
> >
> >      
____________________________________________________________________________________
> >  Be a better friend, newshound, and
> >  know-it-all with Yahoo! Mobile.  Try it now. 
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
> >
> >
> >  _______________________________________________
> >  Full-Disclosure - We believe in it.
> >  Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia -
http://secunia.com/
> >
> 
> 
> 
> --
> 
> Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin
Hunters
> 
> gnucitizen.org | hakiri.org | spinhunters.org
> 
> _______________________________________________
> 
> Full-Disclosure - We believe in it.
> Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
http://secunia.com/
> 


      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ