0:00 Iím a strong supporter of OpenID as a way to SHARE identities across social networking sites, wikis and blogs. It makes it easy for people to understand they have public personas which build up a reputation. Given that I also support Information Cards and CardSpace, what is THEIR relationship to OpenID? Is one a substitute for the other? Iíve put together a visual demonstration to help explain the issues.
30:00 Join me then as I surf the web. Always wanting to amuse you, Iíve chosen to demo a site that Ďs so bizarre I had no idea if it was legitimate or not. After all, a lot of the web is like that, isnít it?At this site, you can do virtual "puts" and "gets" on politiciansí futures, sort of like a commodity exchange. Stranger than fiction, it appears to be run by CNN. And, you can log in with OpenID Well, how can I resist?
1:11 So I give CNN my OpenID, which is a URL.CNN uses that to REDIRECT me to myopenid.com Ė the place that handles my identity for all the other sites I visit. As a user itís not 100% obvious whatís whatís happening here, but finding myself at myOpenID.com I enter my password.
1:26 And thatís it. I can place puts and gets to my heartís content, feeling good because its not costing me anything. Which is a good thing, because I donít understand this game at all.Best of all, I can now go to other OpenID enabled sites and access them without any password as long as I keep my browser open. Letís look at how this works.
1:46 My browser goes to CNN, and when I enter my OpenID, that contains enough information for CNN to send me to the right password verification page. When I get there, I enter my password, and if it is correct, my provider sends a claim back to CNN saying I am who I said I was, and I carry on with my business. When I go to a different site, the same dance happens, but since I still have a cookie from my provider, it doesnít make me enter my password Ė just sends the positive claim back to the site. Pretty convenient. Thatís whatís good about OpenID.
2:22 But what if the site we just visited had actually been an evil one? Well, Iíve built an evil site so I can show you. This site starts by crafting an experience that makes someone like us want to log in. The CNN site would have been perfect for me - strange enough that it tweaked my curiousity. But for someone else a golfing site or something similar might have been better.
2:42 Unaware of the danger, I log in using my OpenID as always.Once the site knows my provider, it can display an exact replica of my normal password page. Thatís whatís happening here, and I donít notice any anomolies.
2:57 And presto Ė the site has stolen my credentials. It can now log in to my identity provider and access Ė are you ready? - all the sites I use it wth. My provider even conveniently maintains a list that can be used to automate this havoc.3:12 Of course in real life, you wonít be told your credentials are stolen Ė youíll just be taken back to a conventional experience so your suspicions arenít aroused.
3:22 The key here is that once you are under the control of ANY evil site claiming to use OpenID, you can be sent to an evil password harvesting page. That provides your attackers access to all the sites where you use the identity.3:40 This brings us to the central point: OpenID leads to CardSpace. Information Cards completely prevent this attack, as well as many others. Letís look at how that works. Iíll start by showing the combined experience.
3:52 We decide to use OpenID as per normal. But when CNN redirects us to our OpenID provider, we will use an Information Card to prove who we are instead of entering a password.In other words, there is no password that can be stolen.
4:10 Once we have selected our Information Card, CardSpace does a cryptographic proof Ė in other words, something that canít be faked, and the rest of the session proceeds as always.
4:21 So letís recap what happens at an EVIL site.Once under the siteís control - we can be sent to a credential harvesting page - just as before. But there is nothing to harvest -except a cryptographic proof. And that proof cannot be reused for evil purposes. The attacker is 100% unsuccessful. Most important, the rest of the sites where you use that OpenID are not affected.
4:53 Letís generalize a bit.The total value of the assets protected by your openID grows in proportion to the number of sites where you use it. But the more you use OpenID, the higher your chances of encountering an evil site that will go after your credentials. The password that might have seemed adequate for a single site, is just too vulnerable for a whole network of sites. Weíve moved diagonally up the channel shown in this graph. We need stronger protection, and Information Cards are designed to make that realistic. Thatís why OpenID stands to gain so much from Information Cards. So much, in fact, that I think -OpenID leads to InformationCards. [Thanks to Francis Shannahan for slide of identity network.]