SlideShare a Scribd company logo

Risks With OpenID

Rohit Srivastwa, profile picture
Rohit Srivastwa

OpenID is a decentralized standard that allows users to log into multiple websites using a single digital identity. While OpenID provides convenience, it also introduces security risks such as phishing attacks, man-in-the-middle attacks, replay attacks, cross-site request forgery (CSRF) attacks, and cross-site scripting (XSS) attacks if not implemented securely over HTTPS. Users should be aware of these risks and use caution when using OpenID, especially for sensitive sites like banks.

TechnologyDesign
1 of 14
Downloaded 88 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Risks with OpenID Remember, with great comfort . comes great security risk . – Spiderman style ;)
What is OpenID (wikipedia) OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity. Eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.
Easy for user Complex to implement Not so difficult to do phishing You loose one ID and you loose complete web.
Remember single username and password for many sites Need not create a new account on a new site, use the same everywhere (mostly) Allow timed access Allow site X to use this authentication from date ‘a’ till date ‘b’ Benefits
Popular OpenID providers Flickr : http://www.flickr.com/photos/ username Verisign : http:// username .pip.verisignlabs.com/ Technorati : http://technorati.com/people/technorati/ username Blogger : http:// blogname .blogspot.com Wordpress : http:// username .wordpress.com & now Google : https://www.google.com/accounts/o8/id?id= username its actually not an OpenID  read here
Risks with OpenID Phishing Attacks Probably the biggest concern with OpenID. Users may be tricked into providing their credentials to phished OpenID provider website. This site might look like your original OpenID provider and you might loose your password for all the services affiliated to OpenID
Risks with OpenID… (contd) Man-in-the-middle Attacks If the connection is negotiated over weak encryption then it is subjected to interception attacks. Ensure that you are using HTTPS and you know how to use HTTPS safely 
Risks with OpenID… (contd) Replay Attacks The URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed. Solution again is HTTPS
Risks with OpenID… (contd) CSRF (Cross-site request forgery) Attacks Once the victim is logged in malicious user might be able to execute CSRF attacks against other sites. Oops… ;( <iframe id=&quot;login&quot; src=&quot; http://bank.com/login?openid_url = user.openid.net &quot; width=&quot;0&quot; height=&quot;0&quot;></iframe>
Risks with OpenID… (contd) XSS Attacks Once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence. If attacker can do it through OpenID then why not?
Not against OpenID No I’m not at all against OpenID. It’s a great idea and will make online life lot more easier. User must be aware of safe usage. Implementers should take care of most of the security risk.
Recommendation NEVER EVER use OpenID or Single-Sign-On for banks or credit cards Always use HTTPS and know how to use it safely Better be paranoid than sorry  like the condom ad “better safe than worry”
Further reading OpenID security issues http://www.thespanner.co.uk/2007/06/29/openid-security-issues/ OpenID: Phishing Heaven http://www.links.org/?p=187 OpenID: Phishing Heaven II http://www.links.org/?p=188 Problems with OpenID http://idcorner.org/2007/08/22/the-problems-with-openid/ Phishing risk http://stii.za.net/semanticweb/openid-phishing-risks-be-careful/ Solving phishing problem http://simonwillison.net/2007/Jan/19/phishing/
Confused??? Drop me a mail rohit@ club hack .com I MIGHT be able to help you 

More Related Content

PPTX
Cm7 secure code_training_1day_xss
dcervigni
 
PDF
XSS-Alert-Pentration testing tool
Arjun Jain
 
PDF
The Cross Site Scripting Guide
Daisuke_Dan
 
PPTX
Cross site scripting
ashutosh rai
 
PDF
Cross site scripting
n|u - The Open Security Community
 
PPTX
Cross Site Scripting
Ali Mattash
 
PPTX
Xss (cross site scripting)
vinayh.vaghamshi _
 
PPTX
Cross site scripting (xss)
Ritesh Gupta
 
Cm7 secure code_training_1day_xss
dcervigni
 
XSS-Alert-Pentration testing tool
Arjun Jain
 
The Cross Site Scripting Guide
Daisuke_Dan
 
Cross site scripting
ashutosh rai
 
Cross site scripting
n|u - The Open Security Community
 
Cross Site Scripting
Ali Mattash
 
Xss (cross site scripting)
vinayh.vaghamshi _
 
Cross site scripting (xss)
Ritesh Gupta
 

What's hot (20)

PPTX
Cross-Site Scripting (XSS)
Daniel Tumser
 
PPT
4.Xss
phanleson
 
PPTX
Cross site scripting
kinish kumar
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
PDF
Attacking Web Proxies
InMobi Technology
 
PPTX
Cross Site Scripting(XSS)
Nabin Dutta
 
PPTX
XSS- an application security vulnerability
Soumyasanto Sen
 
PDF
XSS Injection Vulnerabilities
Mindfire Solutions
 
PPTX
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
PPT
Cross site scripting (xss)
Manish Kumar
 
PDF
Cross site scripting attacks and defenses
Mohammed A. Imran
 
PPT
Xssandcsrf
Prabhanshu Saraswat
 
ODP
XSS
Hrishikesh Mishra
 
PDF
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
PPT
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Porfirio Tramontana
 
PPT
Front end-security
Miao Siyu
 
PPTX
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
PPTX
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
PPT
Xss talk, attack and defense
Prakashchand Suthar
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Cross-Site Scripting (XSS)
Daniel Tumser
 
4.Xss
phanleson
 
Cross site scripting
kinish kumar
 
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Attacking Web Proxies
InMobi Technology
 
Cross Site Scripting(XSS)
Nabin Dutta
 
XSS- an application security vulnerability
Soumyasanto Sen
 
XSS Injection Vulnerabilities
Mindfire Solutions
 
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross site scripting (xss)
Manish Kumar
 
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Xssandcsrf
Prabhanshu Saraswat
 
XSS
Hrishikesh Mishra
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Porfirio Tramontana
 
Front end-security
Miao Siyu
 
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Xss talk, attack and defense
Prakashchand Suthar
 
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Ad

Similar to Risks With OpenID (20)

PPT
Open ID
diwanshu.joshi
 
PPT
Securing your digital identity with drupal
mysty
 
PPTX
Hacking and Cyber Security.
Kalpesh Doru
 
PDF
The Implications of OpenID
Simon Willison
 
PPT
Implementing OpenID for Your Social Networking Site
David Keener
 
PDF
Building the Social Web with OpenID
Simon Willison
 
PPTX
You think you are safe online. Are You?
TechGenie
 
PPTX
Cyber Security Awareness Program.pptx
Dinesh582831
 
PDF
Owasp top 10 2013
Edouard de Lansalut
 
PDF
OpenID Tutorials
Nao Haida
 
PDF
How to 2FA-enable Open Source Applications
All Things Open
 
PDF
Implications Of OpenID (Google Tech Talk)
Simon Willison
 
PDF
Openid+Opensocial
Sebastiano Merlino (eTr)
 
PDF
OpenID and decentralised social networks
Simon Willison
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PPT
Anonymous internet
Vong Borey
 
PPT
Anonymous internet
Vong Borey
 
PPTX
Defcamp 2013 - Does it pay to be a blackhat hacker
DefCamp
 
PPTX
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
PPTX
Cyber attacks Dark Web Session - I4Cv1.pptx
04BNNDRFARAKKONAM
 
Open ID
diwanshu.joshi
 
Securing your digital identity with drupal
mysty
 
Hacking and Cyber Security.
Kalpesh Doru
 
The Implications of OpenID
Simon Willison
 
Implementing OpenID for Your Social Networking Site
David Keener
 
Building the Social Web with OpenID
Simon Willison
 
You think you are safe online. Are You?
TechGenie
 
Cyber Security Awareness Program.pptx
Dinesh582831
 
Owasp top 10 2013
Edouard de Lansalut
 
OpenID Tutorials
Nao Haida
 
How to 2FA-enable Open Source Applications
All Things Open
 
Implications Of OpenID (Google Tech Talk)
Simon Willison
 
Openid+Opensocial
Sebastiano Merlino (eTr)
 
OpenID and decentralised social networks
Simon Willison
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Anonymous internet
Vong Borey
 
Anonymous internet
Vong Borey
 
Defcamp 2013 - Does it pay to be a blackhat hacker
DefCamp
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Vasile
 
Cyber attacks Dark Web Session - I4Cv1.pptx
04BNNDRFARAKKONAM
 
Ad

Recently uploaded (20)

PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
Teaching material agriculture food technology
LiaRayya
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
KodekX | Application Modernization Development
KodekX
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectroscopy.pptx food analysis technology
nawahassan45
 

Risks With OpenID

  • 1. Risks with OpenID Remember, with great comfort . comes great security risk . – Spiderman style ;)
  • 2. What is OpenID (wikipedia) OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity. Eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.
  • 3. Easy for user Complex to implement Not so difficult to do phishing You loose one ID and you loose complete web.
  • 4. Remember single username and password for many sites Need not create a new account on a new site, use the same everywhere (mostly) Allow timed access Allow site X to use this authentication from date ‘a’ till date ‘b’ Benefits
  • 5. Popular OpenID providers Flickr : http://www.flickr.com/photos/ username Verisign : http:// username .pip.verisignlabs.com/ Technorati : http://technorati.com/people/technorati/ username Blogger : http:// blogname .blogspot.com Wordpress : http:// username .wordpress.com & now Google : https://www.google.com/accounts/o8/id?id= username its actually not an OpenID  read here
  • 6. Risks with OpenID Phishing Attacks Probably the biggest concern with OpenID. Users may be tricked into providing their credentials to phished OpenID provider website. This site might look like your original OpenID provider and you might loose your password for all the services affiliated to OpenID
  • 7. Risks with OpenID… (contd) Man-in-the-middle Attacks If the connection is negotiated over weak encryption then it is subjected to interception attacks. Ensure that you are using HTTPS and you know how to use HTTPS safely 
  • 8. Risks with OpenID… (contd) Replay Attacks The URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed. Solution again is HTTPS
  • 9. Risks with OpenID… (contd) CSRF (Cross-site request forgery) Attacks Once the victim is logged in malicious user might be able to execute CSRF attacks against other sites. Oops… ;( <iframe id=&quot;login&quot; src=&quot; http://bank.com/login?openid_url = user.openid.net &quot; width=&quot;0&quot; height=&quot;0&quot;></iframe>
  • 10. Risks with OpenID… (contd) XSS Attacks Once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence. If attacker can do it through OpenID then why not?
  • 11. Not against OpenID No I’m not at all against OpenID. It’s a great idea and will make online life lot more easier. User must be aware of safe usage. Implementers should take care of most of the security risk.
  • 12. Recommendation NEVER EVER use OpenID or Single-Sign-On for banks or credit cards Always use HTTPS and know how to use it safely Better be paranoid than sorry  like the condom ad “better safe than worry”
  • 13. Further reading OpenID security issues http://www.thespanner.co.uk/2007/06/29/openid-security-issues/ OpenID: Phishing Heaven http://www.links.org/?p=187 OpenID: Phishing Heaven II http://www.links.org/?p=188 Problems with OpenID http://idcorner.org/2007/08/22/the-problems-with-openid/ Phishing risk http://stii.za.net/semanticweb/openid-phishing-risks-be-careful/ Solving phishing problem http://simonwillison.net/2007/Jan/19/phishing/
  • 14. Confused??? Drop me a mail rohit@ club hack .com I MIGHT be able to help you 