Subject: CAcert Code Development list.
List archive
- From: Michael Tänzer <NEOatNHNG AT users.sourceforge.net>
- To: cacert-devel AT lists.cacert.org
- Subject: Security of OAuth and OpenID
- Date: Fri, 10 Jul 2009 18:31:55 +0200
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT googlemail.com; dkim-asp=none
- Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:openpgp:content-type; b=BrzhHoCSyR/q/TjXyS224ZNqaVaDcOVRzvYetSR0V6pMz7Rxw+tu4EfSFflpHKui4G 135CFo1rZnS+fU7GI0P3SbEMPcf412GLYE/pJPEa9XNOmBXGhdz2g8WUGg30rYNzDm3R Lf3b0UsOXCvIpV3vk0ToK+3OiODTkiSHf3Wyc=
- Openpgp: id=9940BEF1
Hi,
I just read through some of the design documents for birdshack and
although I think that separating the web front end from the core system
is a good thing to make it more secure I don't think we should go as far
as providing the API to the whole world (although it seems to be the
trendy currently).
The reason why I think so is that if we provide OpenID or OAuth some
websites may actually use it and those website don't necessarily have to
be good guys. Normally that wouldn't be a problem as both protocols
involve that the user is supposed redirected to our own site,
authenticates there and we pass a token to the site he actually wanted
to use, which in turn knows that the user has been properly
authenticated/can access our data. As the user only enters his
credentials at our site the bad site won't see them.
That's how it's supposed to be – but what happens if the site doesn't
redirect to us but instead presents it's own log in form which happens
to look exactly the same as ours? You're right, you have a A+ phishing
attack. Not only, that you don't have to send thousands of spam mails
with strange links which after long years of user education (if such a
thing exists) fewer and fewer people will click, even more sophisticated
users will fall for the trick as the process is totally streamlined, no
suspicious email, just the things you will have got used to in a OpenID
authentication.
Marco Slot has published some PoCs about OpenID phishing
http://marcoslot.net/apps/openid/
Well that is only OpenID but as OAuth works in a similar way I guess his
approaches also apply. In a high security environment such as ours we
probably don't want to try.
I think we still can use both systems to separate our core system from
our front ends, but the core system should also authenticate the
requesting front end and we should only allow systems controlled by us
to use it. Other sites can still use client certificates for
authentication of our users if they want to, but we should avoid users
getting accustomed to a log in form to enter their CAcert credentials
when visiting a third party site, if we only use it internally we
probably stay on the same main domain, so the user won't even notice
that there is OAuth involved.
Cheers,
Michael
Attachment:
signature.asc
Description: OpenPGP digital signature
- Security of OAuth and OpenID, Michael Tänzer, 07/10/2009
- Re: Security of OAuth and OpenID, Alejandro Mery Pellegrini, 07/10/2009
- Re: Security of OAuth and OpenID, Michael Tänzer, 07/11/2009
- Re: Security of OAuth and OpenID, Mario Lipinski, 07/11/2009
- Re: Security of OAuth and OpenID, Michael Tänzer, 07/12/2009
- Re: Security of OAuth and OpenID, Sam Johnston, 07/12/2009
- Re: Security of OAuth and OpenID, Michael Tänzer, 07/12/2009
- Re: Security of OAuth and OpenID, Ian G, 07/13/2009
- Re: Security of OAuth and OpenID, Michael Tänzer, 07/12/2009
- Re: Security of OAuth and OpenID, Mario Lipinski, 07/11/2009
- Re: Security of OAuth and OpenID, Michael Tänzer, 07/11/2009
- Re: Security of OAuth and OpenID, Ian G, 07/11/2009
- Re: Security of OAuth and OpenID, Michael Tänzer, 07/11/2009
- Re: Security of OAuth and OpenID, Ian G, 07/11/2009
- Re: Security of OAuth and OpenID, Michael Tänzer, 07/11/2009
- Re: Security of OAuth and OpenID, Alejandro Mery Pellegrini, 07/10/2009
Archive powered by MHonArc 2.6.16.