Shostack + Friends Blog Archive


Welcome iouhgijudgviujs, please log in!


Ben Laurie has shown time and again that OpenID is Phishing Heaven. It’s also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you.

I also know that there are people I respect who disagree with this harsh opinion. I believe that the ultimate decider of who is right on this is depends on whether an effective OpenID exploit gets created, either in vitro or in vivo, and how well the OpenID people can fix it. My money is on the exploiters, but that’s what makes horse races fun, as Twain put it.

At Black Hat last week, Eugene and Vlad Tsyrklevich gave a talk on OpenID security, and I just nodded as they outlined mechanism after mechanism to show how OpenID can be hijacked, MiTMed, spoofed and so on. They had short examples to show the HTML for how to do all the things that Laurie has described in words.

But then they summed up with saying that they like OpenID, they think it’s kinda cool, and despite its flaws, it gives people a single sign on system that is good for — I don’t know, giving criminals a way to ruin your reputation on LiveJournal, eBay, and your employer all at the same time. I can’t adequately relate it, because I just blinked a lot.

There’s an old joke that exists only as a punch line: “But other than that, Mrs Lincoln, how was the play?” It’s as if they summed up their presentation with, “Well, Booth’s bit of performance art was over-dramatic with all that shouting Latin, but the characterization of the American Cousin was quite touching, and I thought the acting up to Ford’s usual high standards.”

I went up to talk to the speakers, hoping I could be more eloquent than “WTF?!” As I waited, I heard someone say that he just didn’t get it at all, because he’s been using the username/password saving and forms-filling in Firefox. He said that he likes it because now he picks web site names and passwords by just running his hand over the keyboard randomly. He added something like, “I know all of the problems with what I’m doing, but at least they are all on my machine.” Inevitably, several people pointed out that the Mac has had that for years.

There then seemed to be a murmured assent that handing the problem locally may be a better solution.

I’m fascinated by the possibility that identity management might be headed the way of “push.” I also wonder that while making fun of Microsoft cloning things is a sport rivaled only by grousing about Apple’s disdain for battery compartments, this would be a case where it’s called for. Out with InfoCardSpace, in with KeyChain.

Photo “Trunk ‘n Branches” by slightly-less-random.

One comment on "Welcome iouhgijudgviujs, please log in!"

  • Andy ITGuy says:

    I have to agree with you. I have yet to really understand why but I have a gut feeling about OpenID and it’s not a good one. It just seems too easy to hack. I do like the concept but am not convinced that it is ready for prime time.

Comments are closed.