You are viewing daveman692

Previous Entry | Next Entry

Stefan Brands on OpenID Security

warm smile

So this morning I wake up to this post by Stefan Brands ragging on OpenID. While he has raised some valid concerns, he seems to have been happy writing a slam piece while ignoring the work which is underway to resolve them. I'm amused that his conclusion is, OpenID is pretty much useless considering OpenID continues to see amazing adoption by large companies like VeriSign, AOL, SUN, Daum, Reebok, Novell, Sony adding to adoption by the Web 2.0 and Open Source worlds with companies and projects like Technorati, Six Apart, WordPress, Ma.gnolia.com, 37Signals, 43Things, Plaxo, Plone, Drupal, Rails, etc. MyOpenID.com also maintains a directory of a fraction of the about 5,000 enabled OpenID Relying Parties which continues to grow by about twenty sites every day! Maybe all of those sites and projects are "useless", but last I checked they power a large part of the Internet.

Yes, phishing is a problem with PayPal, Google AuthSub, Yahoo! BBAuth, AOL OpenAuth, and OpenID. All of these protocols start with a user at a potentially un-trusted site then being redirected to a trusted site where they are supposed to enter their credentials. While OpenID may make this worse, it does allow for an easier method to better protect your account(s) compared to email today where if someone were to break into my GMail account they could use "forgotten password" links to compromise all of my accounts. In this case I have no option but to only use a password when logging into my email provider whereas many OpenID providers are already showcasing alternative stronger means.

As Stefan seems to have forgotten to quote, Kim Cameron continues:

We can eliminate this attack if the user employs Cardspace (or some other identity selector) to log in to the Identity Provider.
So is this just like saying, you can fix OpenID if you replace it with Cardspace? Absolutely not. In this proposal, the relying parties continue to use OpenID in its current form, so we have a very nice lightweight solution. Meanwhile Cardspace is used at the identity provider to keep credentials from being stolen. So the best aspects of OpenID are retained.

As one example, VeriSign has already integrated managed Information Cards into the Personal Identity Provider allowing users to use CardSpace with their OpenID accounts. This is in addition to the integration with the VeriSign Identity Protection network that allows the use of hardware one-time password tokens sold by companies like PayPal.

Ben Laurie says in a follow-up piece:

This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. Why else would Verisign be in this game, for example? Or, indeed, Microsoft? Or IBM, HP and T-Mobile?
Finally, if I might go all Slashdot on you for a moment, from the light-at-the-end-of-the-tunnel department, David Recordon of Verisign Labs (and an editor of the OpenID specs) says we'd love to spend time working with you to figure out what it would take to resolve your issues with the spec. With that said, I really do think that it will come from browser plugins and such. which is nice. I will accept.

Stefan also ignores work to make this happen such as the OpenID SeatBelt Firefox add-on which VeriSign developed and integrates with multiple OpenID providers beyond just their own, including AOL, MyOpenID.com, XLogon.net.

Stefan goes on to quote Eugene and Vladimir Tsyrklevich in a recent Black Hat presentation, though blatantly ignores their conclusion of:

Whilst this paper has presented a number of attacks against OpenID, it still remains the only viable option for the Internet-wide SSO system. Some of the attacks presented are either partially solved already or can be solved with relative ease. Other attacks such as phishing and the redirect attack require further thought. However, it is our belief that OpenID can be made secure.

Unfortunately it only goes down hill from here. Stefan quotes Allen Tom around concerns he has with OpenID 2.0. Stefan fails to point out that the email he quoted is from May and all of the issues Allen raised have been resolved in the latest draft of OpenID Authentication 2.0 since Allen worked with the community to resolve them.

Stefan then concludes his slanted discussion of OpenID security issues with, Note: this is exactly what Credentica's technology does.

While I could go on with the rest of the FUD in his post, I'd rather ask why he feels it is better to rag on OpenID than act like the people he quotes including Kim Cameron, Ben Laurie, the Tsyrklevich brothers, and others who are working with the OpenID community to help resolve these issues? Especially in Kim's case where the technology he has created can help to resolve these concerns. Considering Stefan says Credentica's technology could be another possible solution to these problems, why isn't Stefan instead working to make that a reality?

Tags:

Comments

( 27 comments — Leave a comment )
folk
Aug. 23rd, 2007 09:12 pm (UTC)
...wow.

Actually, I think we should all be implanted with RFID chips in our fingers and RSA tokens in our genitals that log in via a 802.11n network to a USB receiver on our computers. That'll help!
loic
Aug. 23rd, 2007 09:59 pm (UTC)
oh sweet, so can I use one of those paypal/verisign thingos to log into a pip account?
loic
Aug. 23rd, 2007 10:56 pm (UTC)
I'm such a sucker for gadgets. I've ordered it.

I assume I can delegate my OpenID to PIP...
vxjasonxv
Aug. 24th, 2007 08:31 pm (UTC)
You and me both.

And yes, you can.
(I kinda wish MyOpenID would support this :/.)

Speaking of... I only ever chose MyOpenID because I felt they were in the lead with rolling out stable new additions to OpenID. How is VeriSign's SREG (if it even exists)?
loic
Aug. 24th, 2007 08:36 pm (UTC)
I'm using ye olde lj for the time being
brianellin.com
Aug. 24th, 2007 12:32 am (UTC)
lame++ indeed
In response to Stefan's statement "there are virtually no OpenID consumers", myOpenID.com reached 1000 consumer affiliates (http://janrain.com/blog/2007/08/23/openid-ecosystem-continues-to-grow/) this week. OpenID is getting more and more useful every single day...
yourpostsucks
Aug. 24th, 2007 12:51 am (UTC)
You seem to be outraged that someone is pointing out flaws in your technology, and you brush away critcisms with "we're working on it!" and "lame++". This isn't very impressive; the mature and most logical thing to do, from an optimal tech perspective, is to understand the root of the criticism and use that to improve the OpenID specs. Instead you've thrown around the word "lame" as a hand-waving manoeuvre and reeled off a list of Web 2.0 Playaz who are frankly very minor entities outside of the self-back-patting echo chamber called the blogosphere. Besides, it's meaningless to say OpenID's been "adopted" by these organizations, because that's so vague it could mean anything. "Sam Stephenson just logged into his LiveJournal with OpenID!" "Holy shit, add 37signals to the list of adopters!" I'm reminded of ESR claiming that he's a key maintainer of the Internet's core infrastructure because he wrote fetchmail.

I know this is probably your implementer's bias, but it's silly to treat evaluation of OpenID as less important than writing its spec. In fact evaluating it is arguably more important since people need to know whether OpenID works for them or not. Ironically, I can see from posting this message that even your own LiveJournal rates LJ's proprietary login system over OpenID's; if I post with an OpenID, my comment is screened, whereas if I post with an LJ login, it is not. You may wish to tend to your own lawn before you start mowing someone else's.
daveman692
Aug. 24th, 2007 02:15 am (UTC)
Every company and project I listed has shipped OpenID code publicly (except Symantec who has demoed it) so it is a bit more than "Sam Stephenson just logged into his LiveJournal with OpenID!".

OpenID certainly isn't ubiquitous, certainly isn't mainstream, and certainly not core Internet infrastructure and if I said that then it certainly isn't what I meant. I completely agree that evaluating technologies and understanding feedback (good or bad) is extremely important. I'm not ignoring any of the points raised by Stefan, but do object to the method he took raising them especially when he ignores the progress that has been made since each had originally been brought to the community.

I'm not outraged that someone is pointing out flaws, in fact I've met Stefan many times in the past. What does annoy me is seeing anyone write a post, especially when there are respected within a community, which quotes other people without providing the full context of their points. OpenID isn't perfect, I've never said that it is, and my point at the end is that the majority of the people who Stefan did quote are working with the OpenID community on many of these issues. Stefan had a choice between engaging the community or writing a slam piece; he chose the latter.
(Anonymous)
Aug. 24th, 2007 04:33 am (UTC)
Response to Dave's response
Hello Dave,

If you would care to reread the first paragraph of my post, you will notice that the very objective of my post was to answer the question that you raise at the end of your response.

The short of it, as mentioned in my conclusion, is that we _cannot_ repair the most serious problems of OpenID because the architecture of OpenID is fundamentally incompatible with the multi-party security and privacy properties offered by technologies such as ours and IBM's Idemix. To fix the problems would mean a drastic overhaul of OpenID, to the point that we’re not talking about an improved OpenID system anymore. The same is to a lesser degree already true when using OpenID "in conjunction with" Windows CardSpace; in effect this constitutes a replacement of one leg of the OpenID protocol by a much more secure approach. Now, if you want to add selective disclosure, authenticated anonymity and pseudonymity (possibly with revocation capabilities), improve availability, enable privilege and entitlement management, and provide security against insider attacks originating from the Identity Provider, you will also need to rip out much of the other OpenID protocol leg.

On the latter note (security against insiders), what I am referring to is that one's OpenID provider is capable of logging into any of your online accounts, possibly in an undetectable manner. That is a lot of power, which is enjoyed not only by insiders of OpenID providers, but also by successful hackers and others who manage to gain "insider" status.

Regarding the rather silly recycling problem, this is obviously easy to overcome, and I already alluded in my post to the fact that it is not a fundamental problem. It appears from the mailing list (yes, I did care to read all follow-up posts) that it has yet to be fixed, though.

Regarding the Tsyrklevich presentation, check out http://www.emergentchaos.com/archives/2007/08/welcome_iouhgijudgviujs_p.html for a different view on what would be a more natural conclusion of their presentation.

Last, but not least, regarding Ben Laurie's follow-up post (which I also quoted from, if you read my post carefully): if you read carefully, the reason Ben wrote "it seems clear that these types of protocol are going to be used to authenticate for things of value. Why else would Verisign be in this game, for example? Or, indeed, Microsoft? Or IBM, HP and T-Mobile?" was NOT to endorse the "security" of OpenID. In contrast, this was to express his concern over the implications of the security problems _in light of the fact_ that there are efforts to use the same protocol for more serious uses. Which is exactly my concern as well.

Personally, I can't be bothered much with a sign-on system for blog comments and social networks, but if it makes other people happy, great. It would be very worrisome to me, however, if a URL-based system (whether OpenID or a variant) would become the basis for "serious" identity and access management applications such as e-commerce, e-health, e-government, general credential systems, and so forth. The recent announcement by Estonia regarding OpenID is one example of this slippery slope. It is exactly this concern that has been at the heart of thirty years of modern cryptographic research in identity and credential management. You can hardly blame me for standing up for fundamental privacy and security principles/values that I and lots of other cryptographers have dedicated many many years of their lives to, can you?

- Stefan
http://xlogon.net/boris
Aug. 24th, 2007 11:28 am (UTC)
Please change: I'ts xlogon.net, not .com
Just in case anyone would follow that.

Thank you, Boris
daveman692
Aug. 24th, 2007 04:29 pm (UTC)
Re: Please change: I'ts xlogon.net, not .com
Sorry, changed!
cobraa1.pip.verisignlabs.com
Aug. 25th, 2007 06:16 am (UTC)
I like OpenID
I think Verisign and OpenID 2.0 solved nearly of the weaknesses of OpenID.

Verisign has done an excellent job thwarting the possibility of phishing. Their plugin, along with their hardware security key, ensure it isn't a problem.

BTW, the PayPal security key works with Verisign and is much cheaper :). It's actually the same device - it's just that PayPal decided they were willing to take a loss if it meant greater security and confidence for their users. Perhaps they're trying to fix their reputation as well, considering how bad it was in the past . . .

I love the OpenID concept - it's so nice not having to save a gazillion passwords. I hope to see it in more places in the future. Despite how much I like KeePass, I'd love to use it less often.
openid.marcoslot.net
Aug. 26th, 2007 10:39 pm (UTC)
Why bother?
"I'd rather ask why he feels it is better to rag on OpenID than act like the people he quotes"
Because it is broken beyond repair in more way than one. It's like saying the Caesar cipher still has potential to become the next generation in cryptography. It's like encouraging everyone to use MD1 for cryptographic hashes because we know we can improve it. It's like saying it's OK to use WEP because not everyone is a hacker. It's amazing how the security community spent 50 years getting to where we are with systems like Kerberos, X509 and SSL and then when there is finally some incentive for an authentication standard for the web we go back to 0. You either have security by design or you don't have security. OpenID is flawed by phishing, DNS spoofing, changing domains, and has several other problems.

It can work, but only without passwords, with SSL by default and a system like Cardspace.... Wait a minute, if we have Cardspace, then why would we need OpenID? Service providers can just use cardspace directly. Kim Cameron knows this, but nothing keeps him from getting some of the OpenID buzz.

So if you want to spend your time on something try coming up with an Open alternative to Cardspace... Wait a minute, Cardspace is an open protocol based on existing Web Service standards.

So there's not a whole lot to do except wait for Firefox 3 to come out which will have Cardspace support just like IE7.

Always remember the first lesson in computer and network security: Leave it to the experts.
cobraa1.pip.verisignlabs.com
Aug. 27th, 2007 07:15 pm (UTC)
Re: Why bother?
"Because it is broken beyond repair in more way than one."

Are there some problems? Perhaps.

Are they beyond repair? I doubt it.

Instead of comparing OpenID to cryptography (which begs the question - is this a fair comparison?), why not tell us in plain English why it's beyond repair?

"OpenID is flawed by phishing, DNS spoofing, changing domains, and has several other problems."

Phishing is a possible problem - but there are solutions.

DNS spoofing is a problem with DNS in general, not with OpenID in particular. In addition, I thought DNS spoofing was solved a long time ago.

Changing domain names is solvable.

"Wait a minute, if we have Cardspace, then why would we need OpenID?"

I looked at the possibility of implementing Cardspace on my website - but it appears to be tied to Windows and .NET, and I'm hosting on Linux.

Do you have a link to a Linux implementation of Cardspace?

"So there's not a whole lot to do except wait for Firefox 3 to come out which will have Cardspace support just like IE7."

We need a system that works with all browsers (including Safari and Opera), and we need it sooner rather than later.
openid.marcoslot.net
Aug. 28th, 2007 09:04 am (UTC)
Re: Why bother?
"Instead of comparing OpenID to cryptography (which begs the question - is this a fair comparison?), why not tell us in plain English why it's beyond repair?"
I'm not comparing it to cryptography. I'm comparing it to perfectly good authentication protocols which have existed for almost 40 years. OpenID is the practical equivalent of the wide mouth frog protocol, a procol mainly used to teach students how not to design an authentication protocol.

It is very important to realise what OpenID does. It does not authenticate you to the service provider. It does not authenticate you to the identity provider. It only authenticates the identity provider to the service provider with the URL as the credential. The assumption underlying OpenID is that being able to control the URL is a valid credential.

However this assumption is not correct:
1 We may use DNS spoofing to make the service provider use the wrong identity provider: http://www.securesphere.net/download/papers/dnsspoof.htm
2 An identity provider may clear up old names and hand them out to new users who then have access to all the old accounts.
3 An identity provider may disappear and the new owner may keep the identity system running giving him access to all old accounts.
4 It's just a URL, it has no value: http://www.jkg.in/openid/
5 An identity provider, being the owner of the URL, may access all accounts of its users.

We can fix the first and the third problem by using SSL and strict verification of certificates, but then we run into other problems:
1 You have to buy a certificate if you want to run an identity provider, even though we could design a system that is free. (As OpenID is supposed to be)
2 OpenID becomes a heavy weight system. Far from all web hosts have mod_ssl enabled making it impossible to use for a considerable part of the target audience.
3 When a certificate is not renewed by your provider (which, as we know, is a very common thing) you can no longer use your identity.
4 We have to assume there is no man-in-the-middle attack possible. Which is generally a false assumption. This is also a problem in current authentication systems (different password for every website) but right now it's very hard to predict when a user will authenticate. While a hacker can control it himself with OpenID, since it's not the user but the provider who is authenticating whenever someone enters your OpenID.

There are of course the privacy problems, adoption problems, phishing problems, etc. I could go on and on thinking of solutions (that's my job), but we'll end up with a bloated, expensive protocol that will benefit no one.

If we just take the almost ancient lessons of security into account we wouldn't run into these problems in the first place. Phishing is only a man-in-the-middle attack, we can fix that. Authentication only requires a unique secret, we can have that. Cardspace is not very different from OpenID in overall architecture, but it has its foundation in proven authentication protocols. It has clear definitions for user authentication and a certificate system that enables true user->service provider authentication. I'm not saying Cardspace is the solution. We never know that in security until it is broken and personally I'd prefer a system without identity providers which uses your e-mail address as your identity and certificates for authentication. (which is possible now, just not practical yet)

Sure, you can keep coming up with new versions of OpenID until it is something similar to Cardspace or other existing identity systems, but again... why bother?

"Phishing is a possible problem - but there are solutions."
Which will fail if you keep using passwords filled in on webpages, but OpenID does not have any answers to that.

"In addition, I thought DNS spoofing was solved a long time ago."
Newer DNS servers are only a bit harder to hit. The problem is solved by DNSSec, but I don't think I've ever seen that. It's not considered a serious problem anymore because these days you can get much more satisfaction out of creating zombie networks, cracking WEP or SQL injections at a fraction of the effort.

"I looked at the possibility of implementing Cardspace on my website"
Good starting point: http://xmldap.org/
cobraa1.pip.verisignlabs.com
Sep. 1st, 2007 12:08 am (UTC)
Re: Why bother?
(rather long read, you can skip to the conclusion if you want . . .)

"I'm comparing it to perfectly good authentication protocols which have existed for almost 40 years."

If we have had the ability to create a single sign on system for 40 years, why is it taking so long to implement it everywhere?

"An identity provider may clear up old names and hand them out to new users who then have access to all the old accounts."

Personally identifying information can be stored at the OpenID provider, or better yet a CardSpace card on the user's own computer, so that if such a thing happens the new user won't have the old user's info and it's immediately obvious that, despite using the same name, it's not the same user.

"We can fix the first and the third problem by using SSL and strict verification of certificates"

Agreed, and I hope that most OpenID providers use SSL. Even better, I think they should make SSL a requirement for OpenID.

"You have to buy a certificate if you want to run an identity provider, even though we could design a system that is free."

Costing money is a financial problem, not a security problem. Just because it costs money doesn't mean it's insecure.

"When a certificate is not renewed by your provider ... you can no longer use your identity."

OpenID can optionally be delegated, allowing you set it up so that you can change providers in the event that something like that happens.

How many times have I seen my browser complain when even a big company like Yahoo forgets to renew their certificate? This is a problem with current solutions in general, not just OpenID.

"Which will fail if you keep using passwords filled in on webpages, but OpenID does not have any answers to that."

OpenID is not a specification for authentication of the user - authentication of the user is up to the provider. OpenID just confirms the identity.

For example, my provider provides a constantly changing number. Even if my password and an old number are compromised, it's useless for a new session, because I'll be using a different number the next time I login. I have a hardware device that supplies the currently valid number - the device (as well as my password) would have to be physically stolen to be compromised.

You're right in one sense: OpenID doesn't require such things. But it doesn't prevent them from being implemented, either.

"It's just a URL, it has no value"

It uniquely identifies a user to all sites that implement OpenID.

"I could go on and on thinking of solutions (that's my job), but we'll end up with a bloated, expensive protocol that will benefit no one."

I am currently using a provider that implements a lot of fixes for all of the problems you see - and it works fine.

"Phishing is only a man-in-the-middle attack, we can fix that."

You're right, and many OpenID providers have that problem fixed.

"Authentication only requires a unique secret, we can have that."

You're right, and many OpenID providers have that problem fixed. In fact, it's part of the 2.0 protocol (currently optional, unfortunately).

"Cardspace is not very different from OpenID in overall architecture"

They work together nicely, actually. CardSpace actually supports OpenID - Verisign provides me with CardSpace cards for each OpenID I have.


CONCLUSION: From what I can tell, the biggest problem with OpenID isn't that security is impossible - it's that all of the more secure stuff is optional. In which case, I agree there's a problem: The problem is that they don't require that it be secure.

If you choose your OpenID provider carefully, you can choose one that solves most or all of those problems.

"Sure, you can keep coming up with new versions of OpenID until it is something similar to Cardspace or other existing identity systems, but again... why bother?"

After some research, turns out Cardspace by itself isn't a provider of identity - it's a framework for identity solutions to use. OpenID is one specific implementation that can be used with Cardspace.

If a website supports both Cardspace and OpenID, and your OpenID provider provides OpenID cards (Verisign does, dunno about other providers), you can actually use Cardspace to login with your OpenID identity :). Cardspace supplies the interface and OpenID supplies the identity.
cobraa1.pip.verisignlabs.com
Sep. 1st, 2007 12:53 am (UTC)
Re: Why bother?
Yeah, after all this discussion, there seems to be a big hole in OpenID - and it's not all of this technical stuff.

It's this:

a) You have to trust your OpenID provider. Verisign has a long history in the security business, so I'm pretty confident about them - but what about smaller operations such as myopenid.com? How do we know we can trust "JanRain"?

b) OpenID makes all of the security stuff optional, so it's up to you to ensure your OpenID provider is implementing all of the security stuff.

The biggest problem isn't going to be all this technical stuff - the biggest problem is some scammer opening his own OpenID server. The scammer doesn't even have to fake somebody else's website - he just has to pretend he's trustworthy.

Personally, I'd advise people to avoid a lot of the new startups and small operations - you never know who is behind them.

If you want an openID, use a well known company and check them with the Better Business Bureau.

Or, if you have your own web servers, just host your own OpenID.
hex
Apr. 13th, 2008 07:39 pm (UTC)
Re: Why bother?
You have to buy a certificate

Not any more.

-- Earle (I'd be logged in via OpenID if LiveJournal would only get their act together and let me tie it to my account)
humaneasy.myopenid.com
Jan. 21st, 2009 12:41 pm (UTC)
Re: Why bother?
"3 An identity provider may disappear and the new owner may keep the identity system running giving him access to all old accounts. "

You can solve this by installing your own server. if you go by that way nothing is really trustful on Internet or even on the current society (remember Economical Crisis today Triple-A companies yesterday)... err, better said; nothing is trustful.
vxjasonxv
Aug. 27th, 2007 11:07 pm (UTC)
Re: Why bother?
So there's not a whole lot to do except wait for Firefox 3 to come out which will have Cardspace support just like IE7.

I'll direct you back to the post itself.


So is this just like saying, you can fix OpenID if you replace it with Cardspace? Absolutely not. In this proposal, the relying parties continue to use OpenID in its current form, so we have a very nice lightweight solution. Meanwhile Cardspace is used at the identity provider to keep credentials from being stolen. So the best aspects of OpenID are retained.
cobraa1.pip.verisignlabs.com
Sep. 1st, 2007 06:16 am (UTC)
I've been thinking a bit more . . .

. . . what about public computers?

Cardspace like solutions are great for your own personal PC - but maybe not so good on an untrusted public computer.

Of course, I don't trust any computer but my own, so I avoid using public computers anyways.

You're right, we can avoid much of the troubles of OpenID by using Cardspace. We just gotta get everybody to implement it.

In the meantime, I think I'll keep my OpenID. I have a feeling everybody's going to implement it despite potential problems.

xmldap.org looks good, but I don't know if my web provider supports Java :(. I'll see if I can find something in PHP.
cobraa1.pip.verisignlabs.com
Sep. 1st, 2007 07:50 am (UTC)
I've been looking at Cardspace, and one thing is obvious: Cardspace is not, by itself, an identity provider. It's a GUI for other providers to use.

The only thing resembling an identity provider in Cardspace is Personal Information Cards (PIC), and they can only contain certain types of information. If you want more information stored on the user's machine than what's on a PIC, you have to either supply your own cards to the user or ask them to use a provider that supplies that info.

Also, Cardspace itself doesn't seem to be quite as secure: It'll gladly give your info to anybody you allow it to, and I don't see any protection against man-in-the-middle and replay attacks. Where are the shared secrets and nonces in the Cardspace specs?

Maybe I'm blind, but I'm not seeing any of that stuff in the Cardspace specs.

Cardspace turns out to be just like OpenID: You're depending on your identity provider to supply the anti-phishing and anti-replay protection. The problem is the same, just wrapped in a prettier package.
(Anonymous)
Sep. 23rd, 2007 11:21 am (UTC)
Where are the answers?
Stefan raised a lot of points, while you have answered only some, and even was more like pointing to things that do not yet exist. What about the other answers? See
http://storm.alert.sk/blog/identity/openid-dogfight.html
and
http://storm.alert.sk/blog/identity/king-of-fools.html

BTW. I've tried to log in with my OpenID-enabled _XRI_ on this site and that failed. I know that it is a v2 feature (only drafed), but that maybe gives some hints about real acceptance of recent OpenID developments ...

=radovan
makenshi_fox
May. 27th, 2008 09:01 am (UTC)
There is a simple way to protect yourself against OpenID phishing attacks and that is to use a provider that provides the ability to prevent log-ins from a referral. That means the only way you can log into your account is by going directly to your provider's website. Of course that doesn't stop attacks by an unscrupulous administrator doing dns or proxy attacks, but it will stop most if not all phishing attacks.
http://id.l3ib.org/andrewy/
May. 27th, 2008 03:56 pm (UTC)
GPG
Using GPG/PGP as an authentication method should help with phishing attacks. The string you sign is random, so phishing is only useful if you can get the same random string twice. Adding a timestamp to the string might help.
http://id.l3ib.org is a beta OpenID provider that uses this method. The only provider I know of that used GPG/PGP shutdown, which illustrates another problem with OpenID: what do you do if your provider disappears?
tinamorrissey
Jan. 17th, 2013 06:34 am (UTC)
Reputation services that other companies offer is really effective. But we should know that there are others that are not. We should know that there are fraud in this type of business. Avoid and learn the process to be sure.

Online Reputation Services
( 27 comments — Leave a comment )