[lang]

Present Perfect

Personal
Projects
Packages
Patches
Presents
Linux

Picture Gallery
Present Perfect

OpenID: yes or no?

Filed under: Question — Thomas @ 11:06 pm

2008-6-19
11:06 pm

I remember being really enthusiastic about OpenID when I first learnt about it. I remember trying it out and, as many, being disappointed at the practical use (nobody was supporting it) but hopeful about the idea. I tried it out a bunch of times later, but today I’m still not really using it. I saw an excellent presentation by Simon Willison at Europython last year, but I’m still not using it.

And the reason, at least for the past year, is that I do not know whether the basic model is secure or not. I’ve read lots of pro and con posts, and it’s gone so technical I don’t know who to trust.

If I think about it logically myself, I’d say that I don’t see the difference between the OpenID phishing scenario and the Paypal/bank phishing scenario:

  • Some site uses OpenID and I want to log in
  • said site redirects me instead to a fake site, that looks the same as my real site (either because I use a popular one, or because it actually connects to my real site and presents the same page)
  • Any authentication information I enter on this phishing site is thus known to the phisher

I seem to extract from all I’ve read before that there is a general consensus that this is a real threat, and that OpenID people feel this is not the problem they should be solving – that it is up to OpenID providers to solve this.

But if I were to put online a website that uses OpenID and handwaves phishing problems away to the providers, while simultaneously allowing all OpenID providers, I’d feel bad about teaching my users that it’s fine to follow OpenID links and type in passwords.

So, homework for today – can someone tell me in simple terms:

  1. if there is something wrong with my simple interpretation of the phishing problem, or if it is in fact real ?
  2. What I should be doing if I were to create a website that wants to use OpenID, and I actually care about my users ?

Too much of all of this discussion around OpenID focuses around whether or not it’s OpenID’s job to solve this problem, whether it is insecure, whether it promotes phishing, and so on. But none of the discussion focuses on what you should actually *do* when you care about making it easy for people to use your site while keeping security good enough.

Someone smart on the topic care to tell me what I should be doing as a website maker, and as a potential OpenID user on other websites ?

20 Comments »

  1. As a website programmer (assuming you mean relying party as opposed to an openid provider), there’s nothing you can possibly do, the phishing stuff revolves around somebody creating an innocent-looking website that redirects the users to a proxy provider instead of the real one.

    As the user, you can diligently check that the URL in your browser’s address bar matches your expectations every time you use your openid.

    As the openid provider, you could for example hand out SSL certificates to your users and have them install them in the browser, then require them instead of a login, so the browser does the address checking I mentioned above for the user.

    Comment by Johannes Berg — 2008-6-19 @ 11:20 pm

  2. OpenID has some fundamental and unfixable security problems. For example, its security model, or rather its lack thereof, means that as a site supporting OpenID “authentication” you can’t even count on the most fundamental rule of authentication systems: the person using a given ID for this request should correspond to the person using that ID for some request that occurred in the past.

    Don’t use OpenID, don’t recommend OpenID, don’t support OpenID.

    Comment by Anonymous — 2008-6-19 @ 11:37 pm

  3. @Anonymous: That is, sort of, true; OpenID identifies the OpenID url rather than the person behind it. Yet, oddly, 95% of all web applications rely on email addresses for authentication (anyone with access to the email account can reset the password trivially) which suffer from the same problem. Nobody seems to complain about that.

    Comment by Johannes Berg — 2008-6-19 @ 11:48 pm

  4. There’s not much you can do, as the developer of the client website, to protect your users who use OpenID. You have to depend on your user’s intelligence and their provider’s security. However, this is not such a large problem as it first seems. Many (most?) OpenID providers are more than just a prompt and a prayer, and the stronger the authentication the more secure the providers tend to be.

    For example, some random OpenID provider that anybody can sign up for will probably not bother with anything past SSL. This is perfect for a major usecase of OpenID, the person who justs wants to make a quick post somewhere without registering an account they’ll forget in a few minutes anyway.

    Major providers like Google (through Blogspot) or Yahoo use their native security mechanisms. For example, they might require you to sign in to your e-mail account before authenticating you to OpenID clients. The security profile on these is the same as on the provider’s other sites, like E-Mail.

    The “serious” providers, that deal with a physical identity, use SSL certificats, public-key cryptography, authentication dongles, and all sorts of stuff. I haven’t seen many such heavyweight OpenID providers, because OpenID is such as new technology. Assuming it survives long enough, we might start to see banks or ISPs providing OpenID.

    And of course, for the truly paranoid user, they can configure their own OpenID server that jumps through any hoops they want.

    > a site supporting OpenID “authentication” you can’t even count on the most fundamental rule of authentication systems: the person using a given ID for this request should correspond to the person using that ID for some request that occurred in the past.

    This is true of any online authentication system in current use, and is not fixable unless you start requiring your user to pose with their driver’s license and a recent timestamp.

    Comment by Name — 2008-6-19 @ 11:53 pm

  5. This specific problem can be fixed by having the OpenID provider use a valid SSL certificate and the user checking it… But I think I remembered reading about some more complex problems that can not be fixed so easily.. I only recommend OpenID as a way to sign blog posts.. Ie its as safe as me creating an account with a random name on every blog I post to.

    Comment by Tester — 2008-6-20 @ 12:57 am

  6. @Johannes Berg: The best prevention I’ve come up with for this phishing scam is actually to log in to your OpenID provider long before you head to the site that uses OpenID authentication.

    My assessment of OpenID is that provides more features with at least equivalent security to the one email address and one password for 40 sites model that is currently in use. At the very least I don’t have to remember 40 passwords to get any sort of security while still being vulnerable to somebody hijacking one account and getting access to everything.

    As it stands, most places I’ve seen that use OpenID do it incorrectly except for LoudTwitter.com. Essentially, if I put in my OpenID, I shouldn’t have to tell you my email address and set up another freaking password.

    Comment by Andrew Sayman — 2008-6-20 @ 2:03 am

  7. My understanding is that OpenID was originally intended to be a data interchange specification, and that along the way various people have tried to shoe-horn it unsuccessfully into other problem domains. The creators at various points have capitulated at times but ultimately came to their senses and now follow the following line of thinking:

    OpenID does not prevent phishing, for that you need more help from the UA, such as having your OpenID provider auth you via a plug-in, SSL, or InfoCard. What it does is help you consolidate the points you have to make a trust/no-trust decision. You go to YourCard.com, apply for you card, and that time hook them into your OpenID, from that time on as long as you know OpenID page is in fact legit (helped by a browser plugin for example) things are much easier to keep in check.

    But yeah, with you on the not actually using it part and ultimately my prediction holds: everyone wants to be a provider, no big players want to consume anyone elses OpenID.

    –Rob

    Comment by Rob J. Caskey — 2008-6-20 @ 2:35 am

  8. Phishing and spam are two of the many problems OpenID doesn’t attempt to solve. Unfortunately blind proponents of OpenID sometimes fail to recognize this and make wild, irresponsible claims.

    I find OpenID handy for many things and you might as well turn it on.

    Comment by Ian McKellar — 2008-6-20 @ 2:55 am

  9. […] guy called Thomas asks the very reasonable question (where “this problem” is the OpenID phishing problem): Too much of all of this […]

    Pingback by Links » Using OpenID Responsibly — 2008-6-20 @ 12:46 pm

  10. your site has a very annoying quality in that you can’t see comments unless you yourself comment.

    Comment by dave foster — 2008-6-20 @ 2:30 pm

  11. Take a look at PIP (https://pip.verisignlabs.com/seatbelt.do). It’s a firefox plugin that allows for “out-of-band” logins. When it sees that you’re on a site that supports OpenID, it prompts you to log in directly to your OpenID provider, without going via the site. To avoid this interaction itself being spoofed, its interface does things that a website couldn’t do, like greying out the entire window.

    I understand that OpenID integration may be coming to Firefox and possibly even IE in the future. Phishing will always be a problem, as it’s social engineering, but there are things that can be done to reduce the risks.

    Comment by Gavin — 2008-6-20 @ 2:57 pm

  12. @dave foster: I can see comments without posting one. This the the first comment I’ve ever posted on this site and I can see them just fine.

    Comment by Larry Reaves — 2008-6-20 @ 3:00 pm

  13. I’ve been a fan of OpenID since I first heard about it. From day one I understood it to solve the 1001 credentials problem. What i did not see it provide a solution for is protection.

    If I can use my OpenID across multiple sites it makes it easier for me to be consistent in my posting and what data is being shared. This is a much better solution than having somewhat varying credentials across sites, and sometimes even within the same site.

    Even better, you as the site owner can check whether my comment is posted through credentialing with OpenID and have a reasonable way to track back to me. Rather than somebody nefarious, say Linus Torvalds, using my name.

    OpenID doesn’t completely solve the issue of another person using my name, but if you have OpenID and if I used it then you can track that back to me.

    Comment by Samir M. Nassar — 2008-6-20 @ 4:20 pm

  14. What’s with your site? This has happened to me a few times:

    http://img355.imageshack.us/my.php?image=fromclipboardxy9.jpg

    Comment by Andrew Conkling — 2008-6-20 @ 5:49 pm

  15. Well, using OpenID for your Amazon account or your bank account would be stupid. But I have never seen anyone propose that (and if someone has, that is silly). I like OpenID for blogs and forums. OpenID security seems to be about as good as would get on those things anyway, and with the extensions, it could save setup of profile information on forums – location, gender, avatar, ect (assuming you want to use the same info on all forums).

    Comment by Kelly Clowers — 2008-6-20 @ 5:56 pm

  16. In my opinion OpenID only makes sense when used with a client-certificate in a browser. But then you can only use it on your own computer, where you have your certificate installed, not good for people that depend on other peoples computers (internet-cafe) to access the net.

    Password authenticated OpenID just cries for phishing.

    Comment by Richard — 2008-6-20 @ 6:47 pm

  17. OpenID is a great idea, it just needs a little help (from the user agent or another component of the user environment) to be user-friendly.

    I suppose the basic anti-phishing mechanism for OpenID, as already employed by some providers, relies on a sort of abstract two-way handshake: first the provider authenticates itself with the user, then the user authenticates himself with the provider.

    This can be done in many ways, but I think the best way is to use out-of-band communications such as mobile phone text messages or IM rather than in-band web page interactions, which can generally be ‘proxied’. If your provider sent a challenge directly to your registered mobile phone every time you attempt to log in, there wouldn’t be any steps a phisher could replicate and you would be phishing-proof.

    By the way, I had no troubles reading comments on this site (Firefox 3 RC2)

    Comment by Anders Feder — 2008-6-20 @ 7:34 pm

  18. You can whitelist IDPs that are known to be phishing-resistant. This will piss off some people, but that’s the cost.

    Comment by Wes Felter — 2008-6-20 @ 9:55 pm

  19. One of the things that had me questioning the security is the fact that you can use your own URL as a delegate for your OpenID.
    Let’s say I’m using example.com as a delegate for my real OpenID url (provided by the OpenID provider), what if after a year
    your domain expires and someone buys your domain…. now he or she can access all your accounts…..

    Comment by TimothyP — 2008-6-20 @ 10:35 pm

  20. OpenID doesn’t introduce problems that aren’t there already. Lets assume you host a malicious website that requires user to register to post comments. Now, after each registration you probe a few well known sites with those usernames and passwords used to register to your site. You will rather quickly find places you can access with those usernames and passwords. Of course people who are aware of this problem use stuff like varying passwords and so on, but those are the same people who wouldn’t get fooled by spoofed OpenID login. The only thing that OpenID introduces to this picture is the log that most OpenID sites have for their user accounts. You can check out those sites with the same account and on the other hand you will know where the malicious user has been with your account.

    As far as i’m concerned, OpenID solves more problems than it introduces. If you are going to use it for one shot commenting or simple logins to websites with low security go right ahead. Online banking and such already have (at least here in finland) proper safeguards in place and OpenID is not meant for that kind of logins anyway.

    I agree that it’s not the OpenID specs problem to fix spoofing, there will always be ways for phising and spoofing. Lets solve that by educating people. Why is it that intelligent people become naive when it comes to internet.

    Comment by Sami Haahtinen — 2008-6-26 @ 3:35 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

picture