OpenID: gone phishing

OpenID: gone phishing

Summary: [Ed. The OpenID protocol is rapidly gaining momentum in the social networking arena.

SHARE:
TOPICS: Security
1

[Ed. The OpenID protocol is rapidly gaining momentum in the social networking arena. Exemplifying the momentum OpenID is gaining, Symantec recently announced that it would support OpenID in its Security 2.0 identity offering. As it is gaining visibility the OpenID protocol is being scrutinized more closely by those looking for it to handle identity usage in higher value applications. In this process, a discussion has arisen about OpenID's susceptibility to phishing attacks, and what the protocol might do about this fact.

This conversation has spurred a wider community to seriously consider the problem, both in OpenID and the more general case of any browser based identity protocol. Scott Kveton, CEO, JanRain, Inc. has written the following summary of this conversation to date. – Phil Becker]

David Recordon announced the latest draft of OpenID 2.0 to the OpenID general mailing list last week. The discussion that followed involved the lack of support in the latest specification for dealing with phishing. The argument is that since your OpenID could get you into all of the sites you visit on a regular basis, it will become a much bigger target for phishing from attackers. As the argument goes, users will actually be worse off than they are today because they will no longer be protected by just having one account that goes to one site hacked, they'll have all of them compromised at once.

Several people, including Microsoft's digital identity architect Kim Cameron, blogged on this raising considerable concern from the OpenID community and those looking to adopt the technology.

The most worrisome scenario was when a user is redirected to their OpenID provider to enter their password. The user has to trust that the OpenID enabled site they are trying to login to will redirect them to their identity provider and not some bogus phishing site. Really anytime a user has to enter a password into the browser we have cause for concern. However, once the user has logged in, they don't have to enter their password into the browser again until their session times out. This is actually an interesting opportunity. More on that in a bit.

As the discussions continued, several ideas emerged on ways to tackle the OpenID phishing problem:

Taken by themselves, these techniques don't give users enough protection against the risks they face. However, if you put a combination of them together, you have a much more compelling means with which to fight phishing.

Phishing has always been a difficult problem to solve but solutions exist on sites like eBay, PayPal and Amazon. The burden, however, has always been placed on the users to implement these personalized solutions. Unfortunately, its not practical to expect that users will setup all of these anti-phishing tools for every single site they go to.

Enter OpenID. With OpenID, users build a strong relationship with their OpenID provider. They visit it everyday when they turn on their computer or open a new browser window. Users will be able to setup several different anti-phishing measures on their OpenID provider and reap the benefits on every single site they go to. What we have here is the interesting opportunity I alluded to before. By employing the anti-phishing tactics described above and as OpenID begins to gain widespread adoption, we will see those very tools being a driver of OpenID.

The tough thing about these options is that they are difficult if not impossible to mandate in the OpenID specification without taking away from the core strength and main driver of adoption of OpenID today -- simplicity. However, several of these features already exist on OpenID providers. Discussions are happening with Mozilla to integrate support for OpenID into Firefox 3.0. There are several extensions out that allow you to set visual queues for specific sites like your OpenID provider. And we already know that CardSpace and OpenID are working together. Not only that, the OpenID and CardSpace community are having discussions on how to leverage each other's strengths to benefit users everywhere.

In spite of all the concerns, OpenID continues to gain adoption at a rapid pass. We are seeing 10 - 15 new OpenID enabled sites coming on-line each day. They are adopting the technology because of its simplicity, because it is decentralized, because it does just one thing really well. The technology will continue to evolve and will mature to answer the security implications we can think of today and as well as the ones that will come up in the future. Most importantly, the response from the OpenID community has been astonishing and proof positive that this vibrant group of people is ready to deliver the next generation of digital identity.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Simple Anti-Phish

    Here is 99% of a solution* to the problem:
    Passfaces is an easy-to-deploy user authentication method that leverages the universal human ability to recognize faces and can be used as an "unforgettable" password or as an instantly scalable second-factor authenticator. However, an often overlooked, inherent feature of Passfaces is that it also provides "user-proof" site authentication. That is: the site authentication does not rely on the user paying attention. If the site does not present the user with the correct "challenge grids" of faces, then the user cannot give away their "secret" passfaces.
    * Passfaces on their own do not protect against MITM attacks; however, their interactive graphical nature makes it difficult for the attacker to filter out warning messages sent to the user if, for example, a dubious IP address is detected by anti-fraud software at the legitimate site.
    You can try Passfaces for yourself at www.passfaces.com/demo.
    realuserpaul