OpenID and the web
|
View:
New views
16 Messages
—
Rating Filter:
Alert me
|
 |
OpenID and the web
by Steven Rakick
::
Rate this Message:
Hello list,
I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by David Wall-3
::
Rate this Message:
> I'm curious what the group thinks about the recent > surge in support for OpenID across the web and the > impact it will have. > We've not seen any real surge beyond announcements from the tech providers. > These sites are gaining in popularity quickly and with > the announcements of support from big players Yahoo, > Microsoft and Google, combined with smaller web2.0 > celeb-run sites like Digg, OpenID appears to what will > eventually be the norm. > > Thoughts? > Are you sure? Passport and Liberty Alliance also had lots of press and support, but they never seemed to get off the ground in any big way any more than CORBA, X.500 directories/LDAP, PKI.... The ideas may be good, but cooperation among competitors has always been low and slow. David ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
|
|
|
Re: OpenID and the web
by Adrian Migraso
::
Rate this Message:
sounds like a goldmine for spammers...
.. hey, i still don't get it... what are these sites' visions? ----- Original Message ----- From: "Steven Rakick" <stevenrakick@...> To: <webappsec@...>; <securitybasics@...> Sent: Sunday, March 23, 2008 8:15 PM Subject: OpenID and the web > Hello list, > > I'm curious what the group thinks about the recent > surge in support for OpenID across the web and the > impact it will have. > > 1) Beemba - http://www.beemba.com > 2) ClaimID - http://www.claimid.com > 3) MyOpenID - http://www.myopenid.com > > These sites are gaining in popularity quickly and with > the announcements of support from big players Yahoo, > Microsoft and Google, combined with smaller web2.0 > celeb-run sites like Digg, OpenID appears to what will > eventually be the norm. > > Thoughts? > > I've also noticed that many of these sites are > bundling Information Card support (CardSpace on > Windows). Sounds like a good idea as it compliments > OpenID and helps address some weaknesses. > > Again, any thoughts? > > I'm really just interested in a dialog. > > -sr > > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > ------------------------------------------------------------------------- > Sponsored by: Watchfire > Methodologies & Tools for Web Application Security Assessment > With the rapid rise in the number and types of security threats, web > application security assessments should be considered a crucial phase in > the development of any web application. What methodology should be > followed? What tools can accelerate the assessment process? Download this > Whitepaper today! > > https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F > ------------------------------------------------------------------------- > > ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by Eric Marden
::
Rate this Message:
Personally, I don't see the use. Its just as much trouble to configure
it for the supporting sites, as it is sign up for that site in the first place. Most of the people that support it now, I already have 'regular' accounts for, and no compelling reason to switch it - especially if I'm in a hurry (which like most of us, is all the time). And while support surges - I don't see adoption picking up the same way. Only my geek friends know about it, and even less of those people even use it. Unlike passport and other big splashes in this space, at least its more of an open system. Passport (which was first code named hailstorm) never really made it past Microsoft's gates, and eventually just morphed into MS's Live ID today... in other words, their single- sign-on solution for their own network of web stops). But like another poster indicated it was a lot of press with out a long lasting impact. Maybe Open ID is different, but I haven't been impressed yet. Eric Marden xentek: enlightened internet solutions http://xentek.net/ On Mar 23, 2008, at 8:15 AM, Steven Rakick wrote: > Hello list, > > I'm curious what the group thinks about the recent > surge in support for OpenID across the web and the > impact it will have. > > 1) Beemba - http://www.beemba.com > 2) ClaimID - http://www.claimid.com > 3) MyOpenID - http://www.myopenid.com > > These sites are gaining in popularity quickly and with > the announcements of support from big players Yahoo, > Microsoft and Google, combined with smaller web2.0 > celeb-run sites like Digg, OpenID appears to what will > eventually be the norm. > > Thoughts? > > I've also noticed that many of these sites are > bundling Information Card support (CardSpace on > Windows). Sounds like a good idea as it compliments > OpenID and helps address some weaknesses. > > Again, any thoughts? > > I'm really just interested in a dialog. > > -sr > > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > ------------------------------------------------------------------------- > Sponsored by: Watchfire > Methodologies & Tools for Web Application Security Assessment > With the rapid rise in the number and types of security threats, web > application security assessments should be considered a crucial > phase in the development of any web application. What methodology > should be followed? What tools can accelerate the assessment > process? Download this Whitepaper today! > > https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F > ------------------------------------------------------------------------- > ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by Babu N
::
Rate this Message:
Yes, it is difficult to configure it for supporting sites. But it does save us from registering at multiple webistes & remembering the passwords of each of them. - Babu At 06:53 AM 3/26/2008, Eric Marden wrote: >Personally, I don't see the use. Its just as much trouble to configure >it for the supporting sites, as it is sign up for that site in the >first place. Most of the people that support it now, I already have >'regular' accounts for, and no compelling reason to switch it - >especially if I'm in a hurry (which like most of us, is all the time). > >And while support surges - I don't see adoption picking up the same >way. Only my geek friends know about it, and even less of those people >even use it. > >Unlike passport and other big splashes in this space, at least its >more of an open system. Passport (which was first code named >hailstorm) never really made it past Microsoft's gates, and eventually >just morphed into MS's Live ID today... in other words, their >single- sign-on solution for their own network of web stops). But >like another >poster indicated it was a lot of press with out a long lasting impact. > >Maybe Open ID is different, but I haven't been impressed yet. > > >Eric Marden >xentek: enlightened internet solutions >http://xentek.net/ > >On Mar 23, 2008, at 8:15 AM, Steven Rakick wrote: >>Hello list, >> >>I'm curious what the group thinks about the recent >>surge in support for OpenID across the web and the >>impact it will have. >> >>1) Beemba - http://www.beemba.com >>2) ClaimID - http://www.claimid.com >>3) MyOpenID - http://www.myopenid.com >> >>These sites are gaining in popularity quickly and with >>the announcements of support from big players Yahoo, >>Microsoft and Google, combined with smaller web2.0 >>celeb-run sites like Digg, OpenID appears to what will >>eventually be the norm. >> >>Thoughts? >> >>I've also noticed that many of these sites are >>bundling Information Card support (CardSpace on >>Windows). Sounds like a good idea as it compliments >>OpenID and helps address some weaknesses. >> >>Again, any thoughts? >> >>I'm really just interested in a dialog. >> >>-sr >> >> >> >>____________________________________________________________________________________ >>Be a better friend, newshound, and >>know-it-all with Yahoo! Mobile. Try it >>now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ >> >> >>------------------------------------------------------------------------- >>Sponsored by: Watchfire >>Methodologies & Tools for Web Application Security Assessment >>With the rapid rise in the number and types of security threats, web >>application security assessments should be considered a crucial >>phase in the development of any web application. What methodology >>should be followed? What tools can accelerate the assessment >>process? Download this Whitepaper today! >> >>https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F >>------------------------------------------------------------------------- > > >------------------------------------------------------------------------- >Sponsored by: Watchfire Methodologies & Tools for Web Application >Security Assessment With the rapid rise in the number and types of >security threats, web application security assessments should be >considered a crucial phase in the development of any web >application. What methodology should be followed? What tools can >accelerate the assessment process? Download this Whitepaper today! >https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F >------------------------------------------------------------------------- ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by Razi Shaban
::
Rate this Message:
On 3/27/08, Babu.N <babun@...> wrote:
> > Yes, it is difficult to configure it for supporting sites. > > But it does save us from registering at multiple webistes & > remembering the passwords of each of them. It also makes it that much simpler for a malicious user to gain access to every account you have after getting the password for only one. If you use a different account name and password at every single website, then if one account is compromised then all your other accounts are safe. -- Razi ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by Jeff Robertson-3
::
Rate this Message:
On Thu, Mar 27, 2008 at 7:47 AM, Razi Shaban <razishaban@...> wrote:
> On 3/27/08, Babu.N <babun@...> wrote: > > > > Yes, it is difficult to configure it for supporting sites. > > > > But it does save us from registering at multiple webistes & > > remembering the passwords of each of them. > > It also makes it that much simpler for a malicious user to gain access > to every account you have after getting the password for only one. > But it also makes it easier to use stronger authentication. Nobody would want to put up with, say, tokens or client certificates for *every* website they use. For your online banking, maybe, but not for your email and your blog and 20 random forum websites. But if you only have to sign in once, your tolerance for security measures should go up. My main question, without having looked into it yet, is what kind of protocols this uses. There is already SAML, for instance. Has OpenID invented yet another way to do SSO, or are they using an existing method? ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by David Wall-3
::
Rate this Message:
> Yes, it is difficult to configure it for supporting sites. > > But it does save us from registering at multiple webistes & > remembering the passwords of each of them. Single sign-on only is truly useful if nearly all sites adopt it, unfortunately. After all, I have a Password Safe file that contains 225 entries now (many are business-related, but many are for the various personal sites I'm registered at). If 25 sites adopt a common SSO, I'd still have 200 entries, meaning I'd still need/use Password Safe (or other password manager, which is really extremely useful and easy to use and allows me to effectively remember all passwords by only remembering one good pass phrase that never is shared with anybody). If they all adopted, then I wouldn't need it, which would be awesome, but seems unlikely to happen, and of course there are passwords I have to "remember" that are not for web sites. Also, isn't entering the pseudo-random numbers subject to MITM with replay attack? I've not researched it much, but in general you need to ID yourself and give the value, at which time the info used could be replayed. Also, those in control the ID databases have to be trusted that their employees/contractors/outsourcers won't somehow steal or otherwise lose control of the data, something we see all the time with sensitive financial and medical records. If you break my password at one site today (such as a data loss or other phishing scam, etc.), you don't get access to all my accounts like you would through SSO. Don't get me wrong, I like SSO in general, but I think "universal SSO" is extremely unlikely. There are control issues, liability issues, risk management issues and just plain old competitor cooperation issues. David ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
RE: OpenID and the web
by Calderon, Juan Carlos (GE, Corporate, consultant)
::
Rate this Message:
Unfortunately another drawback is that SSO (in general) makes XSRF even
more dangerous as logging in one malicious site or if you have a Trojan might compromise your data in several others sites and open the door to a chain reaction similar to the XSS worm for Myspaces. However SSO is a need for many people that anyway use password recycling to obtain the "same effect". If well used SSO could be beneficial as you can learn one single strong password than dozens of easy-to-remember. Notice the "if well used" at the beginning of the statement "there is no patch for stupidity" Regards, Juan Carlos Calderon -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Razi Shaban Sent: Jueves, 27 de Marzo de 2008 05:47 a.m. To: Babu.N Cc: Eric Marden; webappsec@... Subject: Re: OpenID and the web On 3/27/08, Babu.N <babun@...> wrote: > > Yes, it is difficult to configure it for supporting sites. > > But it does save us from registering at multiple webistes & > remembering the passwords of each of them. It also makes it that much simpler for a malicious user to gain access to every account you have after getting the password for only one. If you use a different account name and password at every single website, then if one account is compromised then all your other accounts are safe. -- Razi ------------------------------------------------------------------------ - Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------ - ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by Lucas Oman
::
Rate this Message:
Razi Shaban wrote:
> If you use a different account name and password at every single > website, then if one account is compromised then all your other > accounts are safe. This is really not so, since most users sign up with the same email address. All an attacker needs to do is crack the email account and use the "forgot password" feature on most websites. Like it or not, most of us already have a single PoF in the security of our online identities. Lucas Oman -- Web Software Dev Consultant Nerd 912.655.9594 www.lucasoman.com ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by Razi Shaban
::
Rate this Message:
That is an attack that is relatively easy to prevent. If a malicious
user has the password, then no measure of protection can stop them. -- Razi On 3/27/08, Lucas Oman <me@...> wrote: > Razi Shaban wrote: > > If you use a different account name and password at every single > > website, then if one account is compromised then all your other > > accounts are safe. > > > This is really not so, since most users sign up with the same email > address. All an attacker needs to do is crack the email account and use > the "forgot password" feature on most websites. Like it or not, most of > us already have a single PoF in the security of our online identities. > > > Lucas Oman > > > -- > Web Software Dev > Consultant > Nerd > 912.655.9594 > www.lucasoman.com > ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
|
|
|
Re: OpenID and the web
by Jeremiah Cornelius
::
Rate this Message:
I think that OpenID is concerned more with the problem of "Federating"
identity - which is corollary to SSO - but not necessarily the same Thing. Microsoft tried web SSO with Passport. It was viewed as proprietary, and requiring full trust in Microsoft. The new Microsoft effort is around CardSpace, a WSsecurity - oriented framework and client API, extensible to consume SAML, etc. This is a federation play, that can aggregate signon and authorizations. That the OpenID tent seems big enough to accommodate CardSpace is indication that federation of ID is more than just SSO. JC -------------------------------------------------- From: "David Wall" <dwall@...> Sent: Thursday, March 27, 2008 8:30 AM To: "Babu.N" <babun@...> Cc: "Eric Marden" <security@...>; <webappsec@...> Subject: Re: OpenID and the web > >> Yes, it is difficult to configure it for supporting sites. >> >> But it does save us from registering at multiple webistes & remembering >> the passwords of each of them. > > Single sign-on only is truly useful if nearly all sites adopt it, > unfortunately. After all, I have a Password Safe file that contains 225 > entries now (many are business-related, but many are for the various > personal sites I'm registered at). If 25 sites adopt a common SSO, I'd > still have 200 entries, meaning I'd still need/use Password Safe (or other > password manager, which is really extremely useful and easy to use and > allows me to effectively remember all passwords by only remembering one > good pass phrase that never is shared with anybody). > If they all adopted, then I wouldn't need it, which would be awesome, but > seems unlikely to happen, and of course there are passwords I have to > "remember" that are not for web sites. > > Also, isn't entering the pseudo-random numbers subject to MITM with replay > attack? I've not researched it much, but in general you need to ID > yourself and give the value, at which time the info used could be > replayed. > Also, those in control the ID databases have to be trusted that their > employees/contractors/outsourcers won't somehow steal or otherwise lose > control of the data, something we see all the time with sensitive > financial and medical records. If you break my password at one site today > (such as a data loss or other phishing scam, etc.), you don't get access > to all my accounts like you would through SSO. > > Don't get me wrong, I like SSO in general, but I think "universal SSO" is > extremely unlikely. There are control issues, liability issues, risk > management issues and just plain old competitor cooperation issues. > > David > > ------------------------------------------------------------------------- > Sponsored by: Watchfire Methodologies & Tools for Web Application Security > Assessment With the rapid rise in the number and types of security > threats, web application security assessments should be considered a > crucial phase in the development of any web application. What methodology > should be followed? What tools can accelerate the assessment process? > Download this Whitepaper today! > https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F > ------------------------------------------------------------------------- > > ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
Re: OpenID and the web
by baldr
::
Rate this Message:
Pete Jansson Thu, Mar 27, 2008 at 5:01 PM
> Additionally, there would be nothing to prevent a user from having > multiple OpenIDs. OpenID providers should have different levels of > service with different authentication strengths -- from > username/password to tokens, or whatever. Then the user can use their > choice of OpenID with a particular account, making the choice based on > the strength of authentication vs. the risk of the account. (I'm not > sure if I really care whether someone gets my Slashdot comment > account, but I would care about them having my Amazon One-Click > account [if I weren't too paranoid to One-Click].) I completly agree here openID as a protocol can support varying levels of security including security tokens & pki. currently most implmentations are for services where as said above people dont really care. we accept that these services are not as secure as our bank. personly i think openID is perfect for the use it provides. with a password system it isn't that secure, its online and gives access to many accounts; however they are all accounts you dont care about. if it where a SSO for my banks i would expect to be using a certificate but this wouldn't exclude openID. Well thats my two pence... As where on the subject i was curious what people thought about shibboleth. about 15 countries have adopted it for either education or health* as an SSO to many online journals. what do people feel are the security pros/cons here *https://spaces.internet2.edu/display/SHIB/ShibbolethFederations ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F ------------------------------------------------------------------------- |
|
|
RE: OpenID and the web
by Chris Grove-2
::
Rate this Message:
|
