Embed Size (px)
Citation preview
© ClubHack http://clubhack.com
Risks with OpenID
Remember, with great comfort. comes great security risk.
– Spiderman style ;)
© ClubHack http://clubhack.com
What is OpenID (wikipedia)
• OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity. Eliminating the need for a different user name and password for each site.
• OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.
© ClubHack http://clubhack.com
• Easy for user
• Complex to implement
• Not so difficult to do phishing
• You loose one ID and you loose complete web.
© ClubHack http://clubhack.com
• Remember single username and password for many sites
• Need not create a new account on a new site, use the same everywhere (mostly)
• Allow timed access– Allow site X to use this authentication from
date ‘a’ till date ‘b’
Benefits
© ClubHack http://clubhack.com
Popular OpenID providers
• Flickr: http://www.flickr.com/photos/username
• Verisign: http://username.pip.verisignlabs.com/
• Technorati: http://technorati.com/people/technorati/username
• Blogger: http://blogname.blogspot.com • Wordpress: http://username.wordpress.com
& now• Google: https://www.google.com/accounts/o8/id?id=username
its actually not an OpenID read here
© ClubHack http://clubhack.com
Risks with OpenID
Phishing Attacks Probably the biggest concern with OpenID. Users may be tricked into providing their credentials to phished OpenID provider website.
This site might look like your original OpenID provider and you might loose your password for all the services affiliated to OpenID
© ClubHack http://clubhack.com
Risks with OpenID…(contd)
Man-in-the-middle Attacks If the connection is negotiated over weak encryption then it is subjected to interception attacks.
Ensure that you are using HTTPS and you know how to use HTTPS safely
© ClubHack http://clubhack.com
Risks with OpenID…(contd)
Replay AttacksThe URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed.
Solution again is HTTPS
© ClubHack http://clubhack.com
Risks with OpenID…(contd)
CSRF (Cross-site request forgery) AttacksOnce the victim is logged in malicious user might be able to execute CSRF attacks against other sites.
Oops… ;(<iframe id="login" src="http://bank.com/login?openid_url=user.openid.net" width="0" height="0"></iframe>
© ClubHack http://clubhack.com
Risks with OpenID…(contd)
XSS Attacks Once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence.
If attacker can do it through OpenID then why not?
© ClubHack http://clubhack.com
Not against OpenID
• No I’m not at all against OpenID.• It’s a great idea and will make online life
lot more easier.• User must be aware of safe usage.• Implementers should take care of most of
the security risk.
© ClubHack http://clubhack.com
Recommendation
• NEVER EVER use OpenID or Single-Sign-On for banks or credit cards
• Always use HTTPS and know how to use it safely
• Better be paranoid than sorry like the condom ad “better safe than worry”
© ClubHack http://clubhack.com
Further reading• OpenID security issues
– http://www.thespanner.co.uk/2007/06/29/openid-security-issues/• OpenID: Phishing Heaven
– http://www.links.org/?p=187 • OpenID: Phishing Heaven II
– http://www.links.org/?p=188 • Problems with OpenID
– http://idcorner.org/2007/08/22/the-problems-with-openid/ • Phishing risk
– http://stii.za.net/semanticweb/openid-phishing-risks-be-careful/ • Solving phishing problem
– http://simonwillison.net/2007/Jan/19/phishing/
© ClubHack http://clubhack.com
Confused???
Drop me a mail
I MIGHT be able to help you
