Shostack + Friends Blog Archive


Saying it loud — OpenID leads to phishing


Kim Cameron not only admits []link to no longer works] what Ben Laurie has said here [link to no longer works], here [link to no longer works], and here [link to no longer works], but he says it succinctly:

OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies – the more it succeeds, the more dramatically phishable it will become.

There you have it.

It has long been a joke about crusty states such as Idaho, Oregon, New Hampshire, or New Jersey that they have signs at the border that read, “Welcome to <insert-name-here>, now go home.

As a Mac user, someone often asks me if they should switch to a Mac because it’s more secure, my response to them is that the only reason a Mac is more secure than a PC is because it’s only people like me who use them. As soon as hordes of people start using them, then they will no longer be as secure. I like not knowing the details of anti-virus programs. I like not bothering even to run the built-in firewall. So, no, I don’t think you should switch to a Mac because it’s more secure. I think you should just update your virus files every week. Besides, Macs are much more expensive than you can afford. Really. Have you heard about Ubuntu? It’s Open Source! (Cue sounds of angels singing.) People tell me it’s really nice. And I hate Leopard.

Despite all of these being true statements, this technique does not work as well as I would like. I think I need to take a presentation skills class.

OpenID is similar in that it’s a safe neighborhood because people like me don’t go there. Once enough people like me start going there, it’s not going to be secure. I am reminded of comments by each of Groucho Marx and Yogi Berra.

I am happy to help keep OpenID secure by not using it. I’ve already written about what I think is better.

What I find amusing about Cameron’s epiphany is his solution for the problem. He thinks that OpenID should become part of InfoCardSpace, and thus shipped with Windows.

There’s a joke that begs to be made here, oh, how it begs. It is rim-shot worthy, so I’ll not make it. I’ll merely point out that if you want to get CardSpace, you have to get Vista. Ba-dum-dump.

I am again using the photo “Trunk ‘n Branches” by slightly-less-random because it is the only image in Flickr that comes back from the search of “cardspace phishing” and one of two for “openid phishing“.

11 comments on "Saying it loud — OpenID leads to phishing"

  • Brad says:

    Just to be fair, CardSpace is available on XP for free, and projects like Higgins offer free and open source, CardSpace-interoperable identity selectors as well.

  • In fact, CardSpace runs on Vista, XP, and Windows Server W2K3.
    DigitalMe has packaged binaries for Mac, SuSE, and Fedora, and I imagine more ports are coming. There are also browser-based selectors that will run anywhere Firefox runs, and a java-based selector that will run anywhere Java runs.
    The reason Kim proposes to bundle OpenID with CardSpace is that the combination of the technologies serves to mitigate OpenID’s risks – not the other way around. His technical description of this process is here:
    Hope that helps.

  • mordaxus says:

    Thanks for the comments, but I don’t think you get it.
    Kim admits that OpenID is good only until it gets widely deployed. I made a cheap joke that by being in Vista it limits deployment and thus increases security. Ha ha. It was a cheap joke.
    The real issue is that the faster OpenID is deployed the more worthless it is. if you care about your personal safety, growing deployment is a reason to stop using it or never start.

  • Iang says:

    I recommend that people should switch to Macs for security. That’s because right now they are more secure, and even if that situation changes in the future, say a year or two from now, people still benefit from that one or two year’s worth of security.
    They can always switch back. Indeed, they can do that as soon as they know they get less security on Macs.
    Not recommending Macs for security is like saying that the children have to stay inside on a sunny day, because it will rain sometime.

  • You’re right – it was a cheap joke 🙂

  • Chris says:

    You hate Leopard? I’ll cede you the battle of technical knowledge, but from a user perspective it’s worth it for Time Machine alone, IMO.

  • mordaxus says:

    Time Machine is the reason I am soldiering on with Leopard and have not gone back to Tiger. Gritting one’s teeth and holding one’s nose is not the same thing as liking.
    I could write a whole blog post on what’s screwed up with Leopard.

  • Kim Cameron says:

    Sorry, but if you watch the video you see that using Information Cards at the OpenID provider eliminates the phishing problem.
    So though you explained your joke, I don’t get your point.

  • Kim Cameron says:

    Sorry if my last comment looks too crusty. I’m just interested in your thinking here. By the way, great blog.

  • Mordaxus says:

    Hi, Kim.
    Here’s the point. I believe that local management is the solution. Information Cards are an implementation of local management. The Mac Keychain is also a local management system.
    I also believe that single-sign-on systems of any sort, be it OpenID or anything else (OpenID is just this years’ model), is inherently broken. No matter how well implemented they are, it creates the proverbial hard exterior and soft exterior.
    The more I use my SSO system (by which I mean the more subsystems that my SSO credentials work with), then the more of a risk it is to me. I must protect that SSO more because an attacker can do more damage.
    Furthermore, the more something like OpenID is used, the easier it is to trick me into doing something bad.
    Phishing, as Crispin Cowan has put it, is a security failure on the device that sits between the keyboard and chair. It is a con job. If I get conned with a managed, but distributed authentication system, I have less damage to my life than if I have SSO.
    SSO is a perimeter-defense system, and believes that the perimeter is better the larger it is. This belief is dangerous madness in my opinion.
    The better solution is the one you propose — Information Cards, or something like them. It reduces the surface area of attack.
    I don’t believe that you can fix the problems of SSO with ICs. But even if you can, ICs alone are a better solution. Kim, you had it right the first time.

  • PHB says:

    I am typing this on a MacBook Air which I bought precisely because I was so wazed off about the chorus of ‘get a mac’ in response to every security usability issue.
    And no, the Mac does not solve the problems I am looking at. It does configure much more nicely. Bonjour works, UPnP doth not. Microsoft needs a team to tell senior management when its political machinations have failed. UPnP and Jini are the HDDVD of the auto-config world at this point. Thats not a serious problem however as Bonjour is also broke when it comes to scaling and Apple has a major incentive to work with Microsoft on this particular problem.
    I prefer Vista, but the Air is not really an ideal platform to dual boot with 80Gb of memory and my Vista box with a 30″ display is a wee bit difficult to use sitting on the couch.
    Time Machine is not as good as Vista plus my Home Server. And Time Machine on a MacBook Air is essentially unusable unless you have a Mac Server or Time capsule about. I guess I could attach a drive to my AirPort extreme perhaps?

Comments are closed.