Black Hats on OpenID

From Bob Blakely, a pointer (via Pemela Dingle) to this article on OpenID that was given at the last Black Hat security conference. There are some very interesting points made on OpenID security.

Some takeaways from the article:

  • An OpenID provider knows all the sites you authenticate to. From a privacy standpoint, I am not personally OK with that. Others will have different pain thresholds on this.
  • OpenID is vulnerable to session hijacking if the redirect to from the OpenID provider to the relying party is not done over SSL. This would obviously apply to both the OP and RP. Of course while this is certainly a danger, it is no different than the risk of session hijacking that can happen at any time after authentication, as I discuss here.
  • If the user can be lured to malicious site, a cross site request forgery attack can be used. The attacker could try to guess other sites that the user might have OpenID enabled and count on the fact that the by authenticating to the malicious site, the user now has a current session at the OpenID provider. If OpenID ever reaches widespread adoption for sensitive applications (i.e. the kinds that attack hackers), this kinds of attack will be very likely.

(Mirrored from TalkBMC)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s