Skip to Content.
Sympa Menu

cacert-devel - Re: Security of OAuth and OpenID

Subject: CAcert Code Development list.

List archive

Re: Security of OAuth and OpenID


Chronological Thread 
  • From: Alejandro Mery Pellegrini <amery AT cacert.org>
  • To: cacert-devel AT lists.cacert.org
  • Subject: Re: Security of OAuth and OpenID
  • Date: Fri, 10 Jul 2009 23:08:08 +0200
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
  • Organization: CAcert.org

Michael Tänzer wrote:
Hi,

I just read through some of the design documents for birdshack and
although I think that separating the web front end from the core system
is a good thing to make it more secure I don't think we should go as far
as providing the API to the whole world (although it seems to be the
trendy currently).
The reason why I think so is that if we provide OpenID or OAuth some
websites may actually use it and those website don't necessarily have to
be good guys. Normally that wouldn't be a problem as both protocols
involve that the user is supposed redirected to our own site,
authenticates there and we pass a token to the site he actually wanted
to use, which in turn knows that the user has been properly
authenticated/can access our data. As the user only enters his
credentials at our site the bad site won't see them.

That's how it's supposed to be – but what happens if the site doesn't
redirect to us but instead presents it's own log in form which happens
to look exactly the same as ours? You're right, you have a A+ phishing
attack. Not only, that you don't have to send thousands of spam mails
with strange links which after long years of user education (if such a
thing exists) fewer and fewer people will click, even more sophisticated
users will fall for the trick as the process is totally streamlined, no
suspicious email, just the things you will have got used to in a OpenID
authentication.

Marco Slot has published some PoCs about OpenID phishing
http://marcoslot.net/apps/openid/
Well that is only OpenID but as OAuth works in a similar way I guess his
approaches also apply. In a high security environment such as ours we
probably don't want to try.

I think we still can use both systems to separate our core system from
our front ends, but the core system should also authenticate the
requesting front end and we should only allow systems controlled by us
to use it. Other sites can still use client certificates for
authentication of our users if they want to, but we should avoid users
getting accustomed to a log in form to enter their CAcert credentials
when visiting a third party site, if we only use it internally we
probably stay on the same main domain, so the user won't even notice
that there is OAuth involved.

Hi Michael,

when I was actively thinking in this, the idea was to have application accounts. all application were supposed to be bound to one or more assured members and an application would need explicit permissions to be used "publicly" (i.e. by other members beside those responsible for each app).

does this make sense to you for helping us against these problems?

any comment is welcomed.

Alejandro

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page