openid - Marcel Weiss on Diigo

Kim Cameron explains the phishing attack in greater detail and notes: “The problem here is that redirection to the home site is under the control of the evil party, and the user gives that party enough information to sink her. Further, the whole process can be fully automated.” Elsewhere, Kim points out “think of what we unleash with OpenID… It’s way easier for the evil site to scoop the skin of a user’s OpenID service because - are you ready? - the user helps out by entering her honeypot’s URL! By playing back her OpenID skin the evil site can trick the user into revealing her creds. But these are magic creds, the keys to her whole kingdom!”
Marco Slot in his “Beginner’s guide to OpenID phishing” demonstrates the phishing problem by providing code samples. Quoting: “There’s a new phish in town and it is big and easy to catch. A single OpenID may be used for hundres of websites. This alone makes OpenID more vulnerable as losing one password means you’ve lost them all. Moreover, each of those OpenID enabled websites is able to trick the user into giving away her password. […] Would your grandma notice http://f5888d0b1.07e1c41c97a.be/a15 is not her real openid provider?”
11 more annotation(s)...
- Tim Anderson remarks: “The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.”
- Tom Allen in “What’s broken in OpenID 2.0″ says: “[A phishing site can] spoof the realm using an open redirect server or by exploiting an XSS flaw on a trusted domain means that neither the user nor the OP knows what site that the user is signing into. This leaves users vulnerable to being phished on the RP site because OPs, including AOL and MyOpenID, use the realm and return_to parameters to assert the identity of the RP to the user before redirecting the user back to the RP. For example, it’s pretty trivial for a phishing site to get the AOL or MyOpenID OPs to tell the user that they’re signing into *.aol.com, *.microsoft.com, or *.go.com by exploiting redirect servers or XSS flaws on these trusted domains. […] Redirect servers, open reverse proxies, XSS flaws, and the like are widely known and eagerly circulated within certain communities, and without a doubt these bozos would be cranking out millions of SPIMs and SPAMS every hour if OpenID were to gain any traction in the mainstream.”
- Alex Kuza says: “[There is a] feature to set a site to be able to accept your credentials without you having to enter your OpenID password, and since your OpenID provider does not provide these details to the host, they do. Of course, you still need to be logged into your OpenID provider, but since you’re meant to be using this login for several sites, its not too much of a stretch to believe that you’re going to be logged in all the time you’re online - which is quite a large time frame. […] This means that an attacker can log you into any site you decided to trust via CSRF attacks because the site cannot tell if you’ve entered a password. Now this might not seem important, but it is very important for both large and targeted attacks because the user no longer needs to be logged into the service you want to attack, but merely logged into the central service.
- As an example, the Tsyrklevich brothers at the recent Black Hat conference showed how using OpenID for online banking would allow attackers to wire money to their own account using a simple cross-site request forgery attack. They also provided simple sample code for several hijacking, spoofing, and phishing attacks.
- In sum, OpenID adds up to little more than simple password management with extra overhead and lots of security problems. As Marc Canter stresses: “if we’re to stop phishing, and spoofing and ID theft - we need severe crypto, locked down, secure ID systems.” Ben Laurie elaborates as follows: “The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. […] This is the root of the problem: if you want to protect anything of value, you have to do better than existing Web solutions. You need better client-side software. […] the best general way to handle this problem is through zero-knowledge proofs.”
- SECURITY PROBLEMS
- Ralph Bendrath : “I have looked into it a bit closer now, and I just can say it sucks. […] Your identity provider is able to track all websites you log into. They even tell you it’s a feature. User profiling made easy! […] You have a unique identifier (your OpenID uri) for all relying parties, so you can’t choose between different cards or identities for different sites. Cross-sites profiling made easy! […] The latter of course can be worked around if you use many different IDs. But then you run into the usability problems that OpenID was meant to overcome in the first place - having to remember several logins, passwords and so on.”
- in Jeremy Schoemaker’s words: “There’s nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider.”
- a commentor at Slashdot notes: “Once this system is widely used, and spammers begin to register OpenIDs in huge numbers, how will site owners prevent spammy registrations? […] Blindly trusting OpenIDs and allowing them into a site, or giving them posting rights would be crazy. […] If [this problem] it isn’t solved we have a one-stop-shop for spammer IDs.”
- while lots of organizations are jumping in to become OpenID providers, there are virtually no OpenID consumers.
- Neil Cauldwell points out: “If [users] sign-up to a service that only supports OpenID’s from certain servers, OpenID isn’t even open. At least with a proprietary sign-in process you be under no illusions that the username you created with service ‘x’ would work with service ‘y’. But if the big players decide to mess about with server authentification, your OpenID may or may not work at another site. This is where it becomes a complete mess.

Jul

5

2007

claimID weblog » ClaimID Facebook Application

blog.claimid.com/...claimid-facebook-application

- Preview

claimid facebook nn openid

We’re pleased to announce that we’ve built a ClaimID application for Facebook. This simple application will display your verified ClaimID account (verified with OpenID) on your Facebook profile, allowing people who visit your profile to have a trusted link to your ClaimID page.

May

20

2007

IRC with OpenID? at Not So Relevant

www.notsorelevant.com/...irc-with-openid

- Preview

nn openid

So what is Pibb? Well, like I have mentioned above it’s a communication tool which allows users to either connect with a single person or with an entire group, a channel. At first glance it looks a lot like IRC with some graphics to make it more appealing; channels contribute to that assumption. Though people can start different threads in a channel which help keeping track of discussions.
Pibb is a promising application which could serve as an instant messenger, an IRC alternative, and a message board. Since channels can be private and all messages are sent over SSL it could be an alternative to the mentioned communication services and make it predestined even for communication within company teams.

May

16

2007

14 Great Ways You Can Use OpenID Right Now

mashable.com/openid

- Preview

openid

Apr

30

2007

Elektrischer Reporter 28: Ralf Bendrath über die Risiken von Online-Identitätssystemen

www.elektrischer-reporter.de/...40

- Preview

nn openid

Es wäre in der Tat praktisch, wenn irgend eine pfiffige Entwicklung die andauernden Registrier- und Anmeldeorgien bei all den neuen und bunten Web-Diensten überflüssig machen könnte. Derzeit sind einige Systeme in Entwicklung oder bereits im Einsatz, die ein Ende der Username-Passwort-Hantiererei versprechen.

Der Politologe Ralf Bendraht mahnt zur Vorsicht: In diesen Identitäts-Silos sammeln sich Datenmengen an, die genaueste Rückschlüsse über unser aller Web-Aktivitäten erlauben.

Mar

29

2007

Home

www.myvauthid.com/Home.html

- Preview

openid

Mar

28

2007

Basic Thinking Blog » OpenID erklärt

www.basicthinking.de/...openid-erklaert

- Preview

openid spam

Nein, OpenID bietet *keinen* Spamschutz. Erstens kann sich jeder beliebige viele OpenIDs besorgen und zweitens, was viel wichtiger ist, jeder kann OpenID-Provider sein. D.h. wenn die Spammer wollen, könnten sie alle ihre Domains in Provider umwandeln und sich dort OpenIDs generieren.

Im Prinzip ist eine OpenID in Hinsicht auf Authentizität *erstmal* nicht mehr wert als eine Email-Adresse, die sich ebenfalls leicht fälschen lässt. Bei einer OpenID kannst du aber, nachdem du ihr vertraust, sagen, dass derjenige, der sich mit ihr einloggt auch wirklich ihr Besitzer ist. Entspricht also ungefähr einer vom User bestätigten Emailadresse.

Feb

28

2007

Wordpress OpenID Plugin+ at willnorris.com

willnorris.com/wpopenid

- Preview

openid plugins wordpress

wpopenid is a Wordpress plugin by Alan Castonguay that enables commenters to authenticate using their OpenID. This page is for my fork of wpopenid that adds a few features as well as fixes a few bugs. I would like to contribute these fixes back to the main project, but simply haven’t been able to get in touch with Alan yet. Visit the main wpopenid homepage to get an idea of what the plugin does, then view my detailed list of changes below.

Feb

26

2007

OpenID Installed and at the Ready! | On Influence and Automation

www.douglaskarr.com/...nid-installed-and-at-the-ready

- Preview

nn openid

- <?php echo md5(login:realm:password);>
- I copied that encrypted string into the configuration for the ID file and I was up and running!
- To test, I simply had to login using a simple URL
- I then logged out
1 more annotation(s)...
- That was it! My OpenID address is now http://www.douglaskarr.com and it will authenticate the Login and Password that I chose.

Feb

25

2007

O'Reilly Radar > Pros and Cons of OpenID

radar.oreilly.com/...pros_and_cons_o.html

- Preview

nn openid

Two weeks ago Microsoft, Verisign, JanRain (a Portland-based startup), and SXIP ( Vancouver-based startup) announced that they would work with SixApart (early supporters, acceptors, and providers of OpenID) to support OpenID and integrate it with Vista's Identity manager CardSpace (Radar post). There was no mention of MSN or Live becoming acceptors or providers of OpenID. Last week AOL announced that they would become providers of OpenID, giving anyone who has an AIM account an OpenID (Radar post). Earlier this week Digg announced that they would become both a provider and an acceptor (Radar post).
OpenID Pros
7 more annotation(s)...
- Note in that flurry of announcement there was only one new big acceptor - DIgg. AOL, Microsoft are not accepting OpenID. Why not? What are the Pros and Cons of OpenID currently? Here's a crack at it (from the Radar Team):
- You probably already have one
- You can make your own website into an OpenID provider - This is very simple and is what makes it so appealing to bloggers.
  Saves you time when trying new sites and features - You already know your namespace is available
  
  Desktop support is coming via Vista and Firefox 3.0 (Radar post)
  Easy to maintain multiple identities - All you need are different URLs
  
  It's decentralized - Not owned by any one company (MS Passport) or standards body (Liberty Alliance)
- OpenID Cons
  
  Though you have one, there are not many places to use it (yet) - The biggest sites that accept OpenID are SixApart's sites and Digg. None of the big players -- AOL, MS, Google, Yahoo!, MySpace -- accept OpenID.
- The sign-in process can be very confusing and jarring to users - It requires going to another site - not the normal stay-on-one-site-sign-in system that people are used to. (It's about as user-friendly as when you learned 'http://')
- Security Concerns have not been fully resolved - Because of the reliance on a second site for sign-in, OpenID is open to phishing attacks. These concerns are being actively addressed, but the solutions are still being tested and each OpenID has the latitude to choose their solution. An uninformed consumer may not realize that their provider is behind the times. Until this situation is resolved it is not suitable for high-privacy sites like banking, or health (if ever).
  
  Unrealized loss of Anonymity - Currently, each site where you have a login only knows what you tell them about yourself. With OpenID, even thought you can maintain multiple identities, you are inherently tying a lot of services together and thus losing some amount of anonymity
- So what does all that mean?
  It means that there are a lot of people who have OpenID, but they don't have many places to use them yet, and they probably aren't aware that they have one.

Feb

20

2007

Why AOL Created 63 Million New OpenIDs

www.readwriteweb.com/...aol_openid.php

- Preview

aol nn openid

Late last week AOL announced its support of the open identity system OpenID, for all 63 million of their AOL/AIM Ids (for those looking for a quick introduction to OpenID, click here). The details of the announcement, via the dev.aol.com blog, are as follows:
- Every AOL/AIM user now has at least one OpenID URI, http://openid.aol.com/screenname.
- This experimental OpenID 1.1 Provider service is available now and AOL is conducting compatibility tests.
- AOL's blogging platform has enabled basic OpenID 1.1 in beta, so every beta blog URI is also a basic OpenID identifier. (No Yadis yet.)
- AOL doesn't yet accept OpenID identities within their products as a relying party, but they're actively working on it. That roll-out is likely to be gradual.
- AOL is tracking the OpenID 2.0 standardization effort and plan to support it after it becomes final.
2 more annotation(s)...
- How does it affect AOL/AIM users? With the OpenID integration, an AOL user will be able to login to a service provider that accepts OpenID, using their AOL/AIM username/password, without needing to create a new service-specific username/password. This is a great way for AOL to try and retain its once formidable (and still significant) user base, by providing an OpenID-based solution to the knotty problem of web single sign-on. So AOL user names will potentially be an entry into hundreds of different web sites and services, thanks to OpenID.
- Still, AOL opening up OpenID to its 63 million users is a great validation for OpenID. On the heels of the Microsoft announcement, the AOL announcement builds further momentum for the OpenID solution, as the answer to the long sought after goal of Web single sign-on.

Feb

15

2007

claimID weblog - Manage your online identity. » Archive » Tip - Make your blog an OpenID

blog.claimid.com/...tip-make-your-blog-an-openid

- Preview

nn openid

One of the new features we dropped into ClaimID was an easy snippet of code that allows you to make your blog an OpenID (you could always do this before, we just auto-generate the code for you).

Marcel Weiss's Library tagged openid → View Popular, Search in Google

Mind Map: Identity: The Benefits

OpenID Status Check: A Guide to Getting and Using Your OpenID - ReadWriteWeb

The Troubles With OpenID 2.0

Technophilia: One OpenID to Rule Them All...or Not? - Lifehacker

The Identity Corner » The problem(s) with OpenID

claimID weblog » ClaimID Facebook Application

IRC with OpenID? at Not So Relevant

14 Great Ways You Can Use OpenID Right Now

Elektrischer Reporter 28: Ralf Bendrath über die Risiken von Online-Identitätssystemen

Home

Basic Thinking Blog » OpenID erklärt

Wordpress OpenID Plugin+ at willnorris.com

OpenID Installed and at the Ready! | On Influence and Automation

O'Reilly Radar > Pros and Cons of OpenID

Why AOL Created 63 Million New OpenIDs

claimID weblog - Manage your online identity. » Archive » Tip - Make your blog an OpenID

Selected Tags

Related Tags

Top Contributors

Groups interested in openid

China Democracy

faezrland

emagarten

OPENID_Jommla_CB

Web SSO

identity