Sunday 17 February 2008

Highlighting the wrong problem.

Dizzy has had a go at OpenID pointing out the potential for man-in-the-middle attacks and phishing. This is akin to blaming tube and bus drivers for the 7/7 attacks or suggesting the roads are at fault for car accidents. The whole point of OpenID is it distributes other sites authentication, it doesn't shouldn't and can't enforce the level of security surrounding that process. Given that the model it uses is pretty much the same as that used by Paypal, Google and Worldpay for third party payment processing and Microsoft, Yahoo and many others for authentication it is a bit much to say it is the process. If you are going to have a go at something for this, I would suggest going after Mastercard secure code and verified by Visa for trying there bast to look like phishing sites.

So what is the real issue, it is the same problem that we all have everyday on the internet whether we are using OpenID or not. It is about the tremendous efforts people put into to trying to steal things from us. It is (hopefully) the death knell for simple username and password based logins over the internet and the era of two factor authentication, challenge-response, certificate validation moving away from being hidden away as a little padlock or a colour change in the address bar. Well we can but hope.

2 comments:

dizzy said...

"This is akin to blaming tube and bus drivers for the 7/7 attacks or suggesting the roads are at fault for car accidents."

What an absolutely absurd straw man.

"The whole point of OpenID is it distributes other sites authentication, it doesn't shouldn't and can't enforce the level of security surrounding that process."

Errr excuse me? The process of the distribution is inherently weak by design. Having a weak system of authentication susceptible to simplistic man-in-the-middle attacks is absolutely dumb. I'm only repeating what has been well documented critiques across the Net about OpenID. The protocol itself is about authentication and authorisation and yet it does it badly by allowing website owners to handle the relationship with providers. THe point therefore is because OpenID is single sign on, then once you steal a login you have access to everything else that person may already be using.

OpenID does not use "pretty much the same model" as Worldpay or Paypal either, those APIs are a a world away from OpenID.

Tony said...

It isn't a straw man, it is the a statement of the point of OpenID paraphrased from it's creator.
You keep going on about man-in-the-middle attacks, if a big forum owner wants to discredit someone by putting them up as a sock-puppet, why bother with man-in-the-middle why not just pass off.
I am not talking about the API models of Paypal or Worldpay, but the 'visible' versions which simply pass requests over http. Both have better ways of doing, but are still offering the old ways as some sites want to use them.