lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <6905b1570803240815g481346d2ydaa2b05e2b937916@mail.gmail.com>
Date: Mon, 24 Mar 2008 15:15:53 +0000
From: "Petko D. Petkov" <pdp.gnucitizen@...glemail.com>
To: "Steven Rakick" <stevenrakick@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenID. The future of authentication on the
	web?

comments inlined

On Mon, Mar 24, 2008 at 2:43 PM, Steven Rakick <stevenrakick@...oo.com> wrote:
> Let's be realistic here. It's not about the technical
>  feasibility, it's about an open standard people trust
>  and have bought into. This is what Information Cards
>  are in my mind, much the same as OpenID.
>
>  Sure you could go out and create an extension to serve
>  the same purpose in your own way, but who would trust
>  it? I mean PDP is known for javascript port scanning
>  via XSS (i know you've done more but...), not
>  authentication.
>

what do u mean by saying "not authentication", and how is that related
to the topic? and why wouldn't you trust it? :) do you code everything
yourself so that you trust it? I am just curious to understand what do
you mean, that's all.

>
>  My point is simple. With OpenID + Information Cards
>  much of the security concerns/weaknesses (phishing,
>  passwords theft/loss) around OpenID as a protocol are
>  addressed. Sure you still have to trust the provider
>  (or write your own), but the implementation can be
>  secure, open and publically accessible using currently
>  available and supported web technologies. Beemba and
>  MyOpenID currently do this.
>
>  BTW, Firefox 3 will have support for Information Cards
>  by default and an extension is available for Firefox 2
>  at Codeplex.
>
>  -sr
>
>  On Mon, Mar 24, 2008 at 5:25 AM, Petko D. Petkov
>
> <pdp.gnucitizen@...glemail.com> wrote:
>
>
> > Let's put it this way,
>  >
>  > It is easy to prevent phishing attacks against
>  OpenID on the
>  > client-side with browser extensions. In fact, I
>  think that Firefox
>  > will make this feature a default in their upcoming
>  versions. It could
>  > work exactly the same as the current trusted
>  certificate authorities
>  > every single web browser comes with. You will have a
>  list of trusted
>  > OpenID providers domains which are also
>  cross-matched with their SSL
>  > certificates and URLs. Done!
>  >
>  > If firefox is not planning to implement this
>  feature, heck I will code
>  > it myself. This is a hello world XUL extension.
>  >
>  > pdp
>  >
>  >
>  > On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick
>  <stevenrakick@...oo.com> wrote:
>  > > Many of you have brought up that OpenID is
>  vulnerable
>  > >  to phishing and have highlighted weaknesses
>  specific
>  > >  traditional username/password authentication.
>  > >
>  > >  This was the main reason I bought up Information
>  Cards
>  > >  in my original post. I've noticed that Beemba
>  > >  (http://www.beemba.com) and MyOpenID
>  > >  (http://www.myopenid.com) have both implemented
>  > >  Information Cards as an authentication option.
>  > >
>  > >  Good idea?
>  > >
>  > >  It seems to me that if you were to rely on
>  Information
>  > >  Cards as opposed to username/password the
>  phishing
>  > >  angle is mitigated. Is this not the case?
>  > >
>  > >  -sr
>  > >
>  > >
>  > >
>  > >
>  ____________________________________________________________________________________
>  > >  Be a better friend, newshound, and
>  > >  know-it-all with Yahoo! Mobile.  Try it now.
>  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>  > >
>  > >
>  > >
>  > >  _______________________________________________
>
> > >  Full-Disclosure - We believe in it.
>  > >  Charter:
>  http://lists.grok.org.uk/full-disclosure-charter.html
>  > >  Hosted and sponsored by Secunia -
>  http://secunia.com/
>  > >
>  >
>  >
>  >
>  > --
>
> >
>  > Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin
>  Hunters
>  >
>  > gnucitizen.org | hakiri.org | spinhunters.org
>  >
>
> > _______________________________________________
>  >
>  > Full-Disclosure - We believe in it.
>  > Charter:
>  http://lists.grok.org.uk/full-disclosure-charter.html
>  > Hosted and sponsored by Secunia -
>  http://secunia.com/
>  >
>
>
>
>       ____________________________________________________________________________________
>  Never miss a thing.  Make Yahoo your home page.
>  http://www.yahoo.com/r/hs
>
>  _______________________________________________
>
>
> Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



-- 

Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters

gnucitizen.org | hakiri.org | spinhunters.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ