 |  |  |  |  |  |  |  |
Security Issues Slow Down Adoption of OpenID
The OpenID authentication method allows visitors to participating Web sites to log in with a single digital identity and avoid having to remember yet another login / password combination. Many businesses are implementing this method on consumer-facing Web sites in order to lower the barrier to user registration and participation and, though OpenID seems like a great idea, it may not be the panacea companies hope.
As eWeek's Larry Seltzer points out, several people in the security industry have identified a number of issues that point to the overall vulnerability of OpenID's method of authentication. Issues range from DNS cache poisoning attacks to problems with the Debian Predictable Random Number Generator that cause some OpenID providers (OPs) to end up using SSL certificates with weak keys.
"The weak certificates at such OPs means that it's easy to generate their private keys and therefore easy to set up a fake OP that looks like the same thing," explains Seltzer. "Combine this with the DNS cache poisoning attack and it becomes very plausible to set up an attack, at least a targeted attack, to capture OpenID credentials."
Seltzer isn't the only one beating the OpenID vulnerability drum. In a paper last year, computer scientist and grad school student Marco Slot outlined reasons why this authentication method is likely to become a target for phishing attacks. He reasons that "A single OpenID may be used for hundreds of websites. This alone makes OpenID more vulnerable as losing one password means you've lost them all. Moreover, each of those OpenID enabled websites is able to trick the user into giving away her password."
Slot says their are plenty of ways to avoid this problem, or at least lessen the likelihood of phishing attacks via OpenID. In addition to educating users on how to avoid being scammed, and implementing cookies and personal icons as identifying markers, SSL certificates are also a way to make OpenID more secure.
But wait. Remember what Seltzer said about the recent vulnerabilities of SSL certificates? It seems that solving one OpenID problem only leads to another.
That's the bad news. The good news is that OpenID was conceived within and developed by the open source community. Unleashing its collective mind to identify and solve security issues means the OpenID concept is likely to flourish once the kinks are worked out.
If you're trying to find ways to retain visitors to your company's Web site, OpenID is an option worth exploring. Just make sure you've looked at the idea from all angles and understand what's at stake.
As eWeek's Larry Seltzer points out, several people in the security industry have identified a number of issues that point to the overall vulnerability of OpenID's method of authentication. Issues range from DNS cache poisoning attacks to problems with the Debian Predictable Random Number Generator that cause some OpenID providers (OPs) to end up using SSL certificates with weak keys.
"The weak certificates at such OPs means that it's easy to generate their private keys and therefore easy to set up a fake OP that looks like the same thing," explains Seltzer. "Combine this with the DNS cache poisoning attack and it becomes very plausible to set up an attack, at least a targeted attack, to capture OpenID credentials."
Seltzer isn't the only one beating the OpenID vulnerability drum. In a paper last year, computer scientist and grad school student Marco Slot outlined reasons why this authentication method is likely to become a target for phishing attacks. He reasons that "A single OpenID may be used for hundreds of websites. This alone makes OpenID more vulnerable as losing one password means you've lost them all. Moreover, each of those OpenID enabled websites is able to trick the user into giving away her password."
Slot says their are plenty of ways to avoid this problem, or at least lessen the likelihood of phishing attacks via OpenID. In addition to educating users on how to avoid being scammed, and implementing cookies and personal icons as identifying markers, SSL certificates are also a way to make OpenID more secure.
But wait. Remember what Seltzer said about the recent vulnerabilities of SSL certificates? It seems that solving one OpenID problem only leads to another.
That's the bad news. The good news is that OpenID was conceived within and developed by the open source community. Unleashing its collective mind to identify and solve security issues means the OpenID concept is likely to flourish once the kinks are worked out.
If you're trying to find ways to retain visitors to your company's Web site, OpenID is an option worth exploring. Just make sure you've looked at the idea from all angles and understand what's at stake.
Similar Threads
- what are the Security Issues? (Network Security)
- firewalled, security issues (Network Security)
- Security issues (PHP)
- Microsoft,What did you say about Security Issues? (Viruses, Spyware and other Nasties)
- Security Issues (*nix Software)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
adobe advice antivirus apple attack botnet browser business cable china conspiticy crime cybercrime cybersquatting daniweb data database dataloss development dns domains dos email encryption exploit facebook firefox flash forensic fraud gmail google government hack hacker hacking hardware idtheft ie8 internet iphone ipod kaspersky law linux mac macosx malware mcafee mckinnon michaelknight microsoft mobile nasa news obama os password patch paypal payperclick pdf pentagon phishing politics privacy report research sans scam search security socialnetworking software softwaredevelopment sophos spam spyware sqlinjection survey symantec terrorism trademark trends trojan twitter uk usb virus viruses vista vulnerability warning web webmail windows windows7 worm xp zeroday
