{"id":650,"date":"2007-01-09T11:17:36","date_gmt":"2007-01-09T19:17:36","guid":{"rendered":"\/?p=650"},"modified":"2007-01-09T11:40:39","modified_gmt":"2007-01-09T19:40:39","slug":"separating-apples-from-oranges","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=650","title":{"rendered":"Separating apples from oranges"},"content":{"rendered":"<p>Dick Hardt of Sxip <a href=\"http:\/\/identity20.com\/?p=87\">posted a reply<\/a> to my <a href=\"\/?p=649\">recent comments<\/a> on the fears I have about attacks on OpenID:<\/p>\n<blockquote><p>My good friend Kim Cameron <a href=\"\/?p=649\">posted<\/a> the following misinformation on <a href=\"http:\/\/openid.net\/\">OpenID<\/a>:<\/p>\n<div style=\"margin-left: 30px\">InfoCards change the current model in which the user can be controlled by an evil site. OpenID doesn\u00e2\u20ac\u2122t.&nbsp;<\/p>\n<p>If a user ends up at an evil site today, it can pose as a good site known to the user by scooping the good site\u00e2\u20ac\u2122s skin so the user is fooled into entering her username and password.<\/p><\/div>\n<p>An evil site proxying a web based OpenID Provider is a known security threat in OpenID. There are a number of ways of thwarting this attack, and given that the user has a close relationship with their OP, not difficult to deploy. Similar to the advantages that CardSpace has with a client side implementation, <a href=\"http:\/\/www.sxipper.com\/\" class=\"broken_link\">Sxipper<\/a> is a Firefox plug-in that provides an OpenID user with the same client side protections as CardSpace. OpenID is a protocol, similar at a high level to WS-* \u00e2\u20ac\u201d so this is somewhat of an apples an oranges comparison. CardSpace could support OpenID and protect the user.<\/p>\n<div style=\"margin-left: 30px\">I\u00e2\u20ac\u2122d like to see OpenID and InfoCard technologies come together more. I\u00e2\u20ac\u2122ll be presenting a plan for that over the next little while.<\/div>\n<p>I\u00e2\u20ac\u2122m looking forward to seeing your thoughts Kim! Perhaps supporting OpenID in Cardspace?<\/p><\/blockquote>\n<p>I&#39;m not just talking about (realtime) proxying.&nbsp; I&#39;m talking about social engineering attacks in general.&nbsp; Where is the misinformation in my description of these attacks?&nbsp;&nbsp;<\/p>\n<p>Dick&nbsp;reassures&nbsp;us that use of the protocol to help convince uers to reveal their credential is a known attack.&nbsp; Should this make me feel better?&nbsp; I don&#39;t think so.&nbsp;<\/p>\n<p>I also don&#39;t think the mitigations I&#39;ve heard about are too convincing &#8211; with a couple of exceptions.&nbsp;<\/p>\n<p>One of those is the mitigation devised by Dick himself &#8211; called Sxipper.&nbsp; This is a plugin for the browser which, as I understand it, take control away from the evil party.&nbsp; If all OpenID implementations were to add this feature it would be a&nbsp;big step forward!<\/p>\n<p>But in that case, if we want to separate apples from oranges, let&#39;s not say that InfoCards require a client component and OpenID doesn&#39;t.&nbsp; Let&#39;s say that to offer reasonable protection, InfoCards require a client component and so does OpenID.&nbsp; That would, as Dick proposes, properly separate discussion of protocols from the overall delivery of an identity solution.<\/p>\n<p>Use of a hardware token at the OpenID site also mitigates the social engineering attack, though not the man in the middle attack.<\/p>\n<p>More later about how Cardspace and OpenID can converge further.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To offer reasonable protection, InfoCards require a client component and so does OpenID&#8230;<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,8,15,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/650"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=650"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/650\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}