Web Services Contraptions - Some security advice for our OpenID users

Thursday, August 07, 2008

Some security advice for our OpenID users

With the recent news about the DNS cache vulnerability, users are more exposed than ever to potential security attacks, including phishing or pharming attacks, that apply to OpenID as well as other network systems. For example, the ability to redirect DNS requests through cache poisoning opens the door to a significant OpenID security risk: if the OpenID provider is not employing TLS with server-side authentication — preferably mutual authentication — any affected DNS server could redirect the client to a pharming site that looks like the user's real OP, but is not. If OpenID required transport and authentication over HTTPS, this would be less of a problem.

In order to limit the risk, we are advising the users of our OpenID@Work provider to make sure that they follow these guidelines, which might be useful for others, as well:

Make sure that you systems are fully patched.
Verify that the DNS server you use (usually provided by your ISP) is patched and not subject to DNS cache poisoning. You can verify this at Dan Kaminsky's web site. If you find that your ISP has not down their job, complain. Loudly.
Use certificate revocation lists. These list contain the serial numbers of revoked certificates and they can be easily consumed by most modern browsers. For the SunPKI list, just point your browser to http://www.sun.com/pki/pkismica.crl and make sure that your browser refreshes it regularly. Other companies have their own CRLs (e.g. Verisigns are here).
Be extra careful when accessing your authentication web site: openid.sun.com can easily be mistaken for open1d.sun.com or openid.sun.com.uk.

In addition, we recommend that Sun employees use the corporate VPN for all sensitive corporate business, and — obviously — not use the experimental OpenID@Work authentication service, or any OpenID authentication service, for anything of value.

UPDATE: The Sun PKI CRLs is also here, which is the official distribution point for Sun/Verisigns issued certificates. In addition, these certificate support OCSP verification at http://ocsp.verisign.com.

Ben Laurie and Robin Wilton also published information relating to the weaknesses of OpenID.

tags: openid dns cache poisoning security

Security

Thursday, August 07, 2008 10:18:04 AM (Eastern Standard Time, UTC-05:00)

Comments [0] |

Comments are closed.

Messages

Calendar

January 2009

Sun

Mon

Tue

Wed

Thu

Fri

Sat

Email Subscription

Blogroll

Constantin Gonzalez' Weblog

Adventures of an Eternal Optimist

Anyway

Conor's Web Log of Esoterica

del.icio.us/beuchelt

Don Box's Spoutlet

Enterprise Architecture: Thought Leadership

Harold Carr's Blog

Identity for All - On bits and bytes

James Gosling: on the Java Road

Jamie Lewis - CEO and Research Chair

Johannes Ernst's Blog

Kim Cameron's Identity Weblog

Kirill's notes

Links

Marc Hadley's Blog

meta-douglasp

Mike Jones: self-issued

Nicholas Allen's Indigo Blog

ongoing

Phil Windley's Technometria

Pushing String

Robin Wilton's esoterica

TechEd Iron Architect Contest

The Aquarium

Web Services Contraptions

xmldap

Links

Technorati Profile

On this page

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

In addition, my opinions can change. This weblog provides a momentary snapshot of such opinions. Existing posts that were written in the past do not necessarily reflect my current thoughts and opinions.

For the purposes of attribution, the author is "Gerald Beuchelt" and attribution shall provide a (clickable, where possible) URL to this site.

E-mail