Refactoring the Debtags web interface
Brian May
brian at microcomaustralia.com.au
Tue Feb 24 00:17:23 UTC 2009
Ben Finney wrote:
> I invite anyone interested in knowing how the distinct areas of
> identity, trust, and security intersect with the OpenID system, to
> research the available documentation.
>
...except openid has serious issues with establishing identity in a
secure manner. Especially if the server connects to your identity
provider using http (seems to be common practise as far as I can tell).
Using http makes MITM attack easy. Just redirect requests to an identity
provider that always confirms the user's identity. Even if https is
used, does the server validate the CA certificate? I have seen openid
server software that doesn't do any checking of the SSL certificate (yes
there is a bug report on the issue).
Even then it is possible that a malicious website will redirect you to a
website that looks identical to your identity provider's website, asks
for you password, and then steals it.
Sure, an alert user will notice this; Unfortunately many users would not
notice.
If you can't establish identity in a secure manner, you can't establish
trust, authorisation, or security in a secure manner either.
The key issue seems to be that openid wasn't designed from the ground up
to be secure; for a secure solution you need something like Shibboleth
<http://en.wikipedia.org/wiki/Shibboleth_(Internet2)>
<http://shibboleth.internet2.edu/> (which I have been told *is* more
secure) or maybe even a solution that
requires web browser client support (e.g. Kerberos or something like
Kerberos).
--
Brian May <brian at microcomaustralia.com.au>
More information about the Debtags-devel
mailing list