[sldev] OpenID & SSL certificates
Argent Stonecutter
secret.argent at gmail.com
Tue Oct 2 15:30:27 PDT 2007
On 02-Oct-2007, at 12:41, Dzonatas wrote:
> Does the mere attempt to move authentication (as it exists now)
> from the viewer to the web-site change anything?
Absolutely.
* Using the website means that you can't use an enforced challenge-
response mechanism... the password has to be sent over the network.
Yes, it could be inside an SSL tunnel, but it still has to be sent to
the server, so it can be stolen by a crocked server.
* Using the website means that if you can present people with a
prompt that looks like the server you can use that to phish for their
passwords. And you can do that even without breaking the browser
sandbox.
That is, the viewer is inherently more secure than a website, and
moving the authentication to the web reduces security.
In addition, the fact that the website connection is a persistent
connection with no clear session model, rather than one where exiting
the viewer automatically tears down a connection and thus the
session, opens up additional opportunities for an attack.
So, yeh, it changes things... for the worse.
> The why is really the need to improve the authentication protocol
> (not the viewer).
1. Make the server connection via SSL to prevent sniffing.
2. Use challenge-response (eg, kerberos), hidden from the user.
3. Use a challenge-response key agreement protocol (eg, EKE) to both
avoid sending the password AND to generate a shared key.
Given that it's using plaintext passwords over an unencrypted
connection, there's nowhere to go but up. I just want to make sure
that the road leading upward doesn't end up in a dead end.
More information about the SLDev
mailing list