[sldev] OpenID & SSL certificates

Argent Stonecutter secret.argent at gmail.com
Tue Oct 2 15:30:27 PDT 2007


On 02-Oct-2007, at 12:41, Dzonatas wrote:
> Does the mere attempt to move authentication (as it exists now)  
> from the viewer to the web-site change anything?

Absolutely.

* Using the website means that you can't use an enforced challenge- 
response mechanism... the password has to be sent over the network.  
Yes, it could be inside an SSL tunnel, but it still has to be sent to  
the server, so it can be stolen by a crocked server.

* Using the website means that if you can present people with a  
prompt that looks like the server you can use that to phish for their  
passwords. And you can do that even without breaking the browser  
sandbox.

That is, the viewer is inherently more secure than a website, and  
moving the authentication to the web reduces security.

In addition, the fact that the website connection is a persistent  
connection with no clear session model, rather than one where exiting  
the viewer automatically tears down a connection and thus the  
session, opens up additional opportunities for an attack.

So, yeh, it changes things... for the worse.

> The why is really the need to improve the authentication protocol  
> (not the viewer).

1. Make the server connection via SSL to prevent sniffing.
2. Use challenge-response (eg, kerberos), hidden from the user.
3. Use a challenge-response key agreement protocol (eg, EKE) to both  
avoid sending the password AND to generate a shared key.

Given that it's using plaintext passwords over an unencrypted  
connection, there's nowhere to go but up. I just want to make sure  
that the road leading upward doesn't end up in a dead end.




More information about the SLDev mailing list