The OpenID authentication method allows visitors to participating Web sites to log in with a single digital identity and avoid having to remember yet another login / password combination. Many businesses are implementing this method on consumer-facing Web sites in order to lower the barrier to user registration and participation and, though OpenID seems like a great idea, it may not be the panacea companies hope.
As eWeek's Larry Seltzer points out, several people in the security industry have identified a number of issues that point to the overall vulnerability of OpenID's method of authentication. Issues range from DNS cache poisoning attacks to problems with the Debian Predictable Random Number Generator that cause some OpenID providers (OPs) to end up using SSL certificates with weak keys.
"The weak certificates at such OPs means that it's easy to generate their private keys and therefore easy to set up a fake OP that looks like the same thing," explains Seltzer. "Combine this with the DNS cache poisoning attack and it becomes very plausible to set up an attack, at least a targeted attack, to capture OpenID credentials."
Seltzer isn't the only one beating the OpenID vulnerability drum. In a paper last year, computer scientist and grad school student Marco Slot outlined reasons why this authentication method is likely to become a target for phishing attacks. He reasons that "A single OpenID may be used for hundreds of websites. This alone makes OpenID more vulnerable as losing one password means you've lost them all. Moreover, each of those OpenID enabled websites is able to trick the user into giving away her password."
Slot says their are plenty of ways to avoid this problem, or at least lessen the likelihood of phishing attacks via OpenID. In addition to educating users on how to avoid being scammed, and implementing cookies and personal icons as identifying markers, SSL certificates are also a way to make OpenID more secure.
But wait. Remember what Seltzer said about the recent vulnerabilities of SSL certificates? It seems that solving one OpenID problem only leads to another.
That's the bad news. The good news is that OpenID was conceived within and developed by the open source community. Unleashing its collective mind to identify and solve security issues means the OpenID concept is likely to flourish once the kinks are worked out.
If you're trying to find ways to retain visitors to your company's Web site, OpenID is an option worth exploring. Just make sure you've looked at the idea from all angles and understand what's at stake.
