Saturday, February 16, 2008

Why would you use OpenID?

I see that Blogger has now started offering the use of OpenID for posting comments on more than just its Beta and Alpha platform. Am not quite sure why they are doing it though as OpenID doesn't exactly have a safe security model around it. The principle behind OpenID is very simple. You create an ID at a provider site, say Wordpress, and then other sites you go to can present the OpenID layer for authentication and they contact your provider and authorize you.

Spot the problem? The site you visit is responsible for sending your details to your provider. All a site has to do is send those details to a fake provider they set-up that can proxy the authentication to the real provider whilst phishing your details in the process. It's called a man-in-the-middle attack and it is so stupidly simple it's scary. So, you proudly own your OpenID and you visit a website which allows comments via OpenID. Brilliant you think, I can post safely knowing that anyone reading the comment knows it is me. No 'sockpuppeting' here the blogging expert thinks. He happily types his OpenID in and it authenticates and he posts a comment.

Unbeknown to him though, his details have just been sniffed in the middle by the website owner. And guess what, because OpenID is a distributed authentication system that allows people to login in to multiple sites, the phisherman now has access to all those sites too. He can pretend to be you anywhere he wants, and because OpenID "stops sockpuppeting" everyone will think that it was you that posted those comments.

The simplicity of the attack is quite elegant really. After all, we're not talking about a crude attack where someone sends an email pretending to be a bank and hopes that a stupid person clicks the link and gives you their details. Instead what you have is a flaw where the user openly goes somewhere and happily puts their details in because they just trust the system.

They trust a system that relies on distributed and distinct business entities ensuring that they are not compromised, because if just one provider is compromised in the chain then suddenly details are compromised across multiple providers. Someone using Provider A entering their details with OpenID on Provider B where Provider B is compromised now exposes the details that are thought to be secure on Provider A.

Of course, using OpenID or not is entirely up to you. You won't be surprised to hear that I personally find the idea of distributed single-sign-on systems with multiple providers a universally stupid thing. Even if you put aside the very basic security problems that exist around phishing, having one login and identity for an array of websites is one big steaming single point of failure. Lose one password, lose them all. Genius!

If you're in anyway security aware then multiple identities and multiple passwords is the only sensible option and approach to have. It may of course upset those obsessed with so-called 'sockpuppets', but then in most cases they don't understand the technology anyway. They have a tendency to believe the marketing hype and thus think things like OpenID close loopholes when in fact they're just a phisherman's heaven.

Update: Here's a useful link to read.

7 comments:

Anonymous said...

Surely the solution is to have an internet identity which is entirely separate from your "real" one, even if it shares the same name. Open ID will only be open to phishing if it contains sensitive, potentially stealable, information; and if you publicise that, even via blogger or wordpress profiles, then you're a nitwit who deserves whatever you get.

dizzy said...

"Open ID will only be open to phishing if it contains sensitive, potentially stealable, information;"

1: OpenID is vulnerable to phishing and there are many proof of concept examples out there on how to do it.

2: The valuable information is simply the login details. Once you have them then you have access to any site using OpenID to authenticate someone, and it is once logged into a site that you gain access to other far more valuable information.

Anonymous said...

Dizzy, I'm puzzled by what you say. I had thought the sequence was:

1. I enter my OpenID server name into your comments web form.

2. Google then asks my provider "Is it OK to let him in?"

3. My provider asks me for my password.

4. If my password is correct, my provider responds to Google "Yes, let him in".

Mark you, blogging name and password is all that this OpenID will ever carry. Real name, date of birth and ID Card number (when issued), etc will never go there, for fear of attack one way or another!

comfy socks and a bottle of rum said...

Nothing wrong with sockpuppets, on most blogs they make the most entertaining posts. The others are there because they think their views are of interest, and they are not. Also like a quick word on comment moderation, spoils the fun, Guidos is now naff with the same boring plonkers posting drivel. Dump it Dozey, you know it makes sense. You just may get two versions of this comment, what with my morning rum and a careless click I think I have sent you two, sorry about that Dizzzzz

dizzy said...

http://idcorner.org/2007/08/22/the-problems-with-openid/

Anonymous said...

I can't understand a word of this.

Anonymous said...

One way to avoid phishing attempts is to log into your provider and ten use other tabs in the same browser window to visit the sites that use OpenID. This way there is no need for redirection. Alternatively one can use Seatbelt distrbuted by Verisign Labs.