Refactoring the Debtags web interface

[Brian May]

Ben Finney wrote:
> I invite anyone interested in knowing how the distinct areas of
> identity, trust, and security intersect with the OpenID system, to
> research the available documentation.
>   

...except openid has serious issues with establishing identity in a 
secure manner. Especially if the server connects to your identity 
provider using http (seems to be common practise as far as I can tell). 
Using http makes MITM attack easy. Just redirect requests to an identity 
provider that always confirms the user's identity. Even if https is 
used, does the server validate the CA certificate? I have seen openid 
server software that doesn't do any checking of the SSL certificate (yes 
there is a bug report on the issue).

Even then it is possible that a malicious website will redirect you to a 
website that looks identical to your identity provider's website, asks 
for you password, and then steals it.

Sure, an alert user will notice this; Unfortunately many users would not 
notice.

If you can't establish identity in a secure manner, you can't establish 
trust, authorisation, or security in a secure manner either.

The key issue seems to be that openid wasn't designed from the ground up 
to be secure; for a secure solution you need something like Shibboleth 
<http://en.wikipedia.org/wiki/Shibboleth_(Internet2)> 
<http://shibboleth.internet2.edu/> (which I have been told *is* more 
secure) or maybe even a solution that
requires web browser client support (e.g. Kerberos or something like 
Kerberos).

-- 
Brian May <brian at microcomaustralia.com.au>