OpenID Warns of Serious Remote Bug, Urges Upgrade

Trailrunner7 writes "The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem. The bug in OpenID lies in the system's Attribute Exchange, an extension that gives sites the ability to exchange identity information between endpoints. OpenID, an open source project that enables users to prove their identity to myriad sites without providing their passwords, is used by a slew of popular sites, including Google, Yahoo and Flickr."

Re:OpenID is a pile of crap.

[growse]

I've not had to log into a stackoverflow site since the first time I logged in, about 3 months ago.

I conclude "You're doing it wrong".

RTF linked post

http://www.pingidentity.com/blogs/pingtalk/index.cfm/2011/5/5/Researchers-find-OpenID-vulnerability-sites-patch-hole

This only affects sites that use OpenID's AttributeExchange. If you just use it for authentication (and use the relying party's claimed identifier as the protocol advises) you are not/never were vulnerable.

The concept of OpenID doesn't seem very secure

[Bloodwine77]

I can see using OpenID for throwaway accounts, but I would never use it for anything serious. I use different passwords for every site I visit, so if one site gets compromised then my other accounts are still safe. OpenID puts all the eggs in one basket, and that just doesn't sit well with me.

Re:The concept of OpenID doesn't seem very secure

Given the average software developer's attention to security and the average company's attitude towards security, would you rather:

-Deal with the hassle of creating a new password for each site (possibly with some per-site algorithm, that with enough compromises, could be deduced), and the associated inconvenience of remembering them all

or:

-Put all your eggs in one basket with an OpenID provider that *does* take security seriously (Google, Yahoo, etc. can function as OpenID relying parties - and you can also use two factor authentication with Google now), so that basket is extremely well protected, and dodge the issue of giving random sites on the internet a password entirely?

Re:The concept of OpenID doesn't seem very secure

[Dunbal]

OpenID puts all the eggs in one basket.

Apparently it's more like a sieve than a basket. A sieve with very big holes where the eggs can fall out if you shake it enough.

Re:The concept of OpenID doesn't seem very secure

[abulafia]

Put all your eggs in one basket with an OpenID provider that *does* take security seriously (Google, Yahoo, etc. can function as OpenID relying parties - and you can also use two factor authentication with Google now), so that basket is extremely well protected, and dodge the issue of giving random sites on the internet a password entirely?

That's easy. I would rather use per-site passwords.

Even if you trust Google's security without qualification, which you shouldn't, as they've been compromised before both internally and externally, there is the problem of interest alignment. Your interests are not the same as Google's.

As for deducing per-site passwords, well, if you can, then I'm doing it wrong, or you have either my master key or broken SHA2. And I don't remember any of them That is what password managers are for.

Final thought- if you've convinced yourself of the wisdom depending on the almighty Google (or Yahoo, or whoever), you might want to watch and see if they happen to upgrade their OpenID system in the next little bit. Just a thought.

Re:The concept of OpenID doesn't seem very secure

[meba]

There are ways... You can for example get a Yubi Key: http://www.yubico.com/yubikey, then get your own Drupal based OpenID provider: http://drupal.org/project/openid_provider and use http://drupal.org/project/yubikey module. Result? You host your own OpenID provider and everytime you want to use it, you need to have the Yubi Key - no one can steal your identity unless he steals your USB Key and your OTP

Re:The concept of OpenID doesn't seem very secure

[brusk]

If you're shaking a sieveful of eggs, the size of the holes isn't your biggest problem.

Re:The concept of OpenID doesn't seem very secure

[SuperQ]

Then you don't understand the concept.

OpenID allows you to keep your password AWAY from various sites. For example if I wanted to login to slashdot I can use any OpenID provider I want. This means that slashdot never gets my password. Slashdot gets a just-for-it token that my OpenID provider gives. If slashdot gets broken, no big deal that token can't be used for anything else, and my password is never released.

Guess what, I run my own OpenID provider so the only one to blame for loss of my authentication is myself. My own server is the only thing that gets the password and that exchange is done entirely over SSL.

Re:The concept of OpenID doesn't seem very secure

[dstar]

OpenID allows you to keep your password AWAY from various sites.

I think you mean 'OpenID allows you to train users to be vulnerable to phishing attacks'. 'Never type your password into a page unless you went directly to the site' is good advice; 'Never type your password into a page unless you went directly to the site or the site that sent you there claims to be using OpenID' is not.

The actual "weakness"

[Plombo]

The summary is very misleading. From TFA:

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). See below for information on the suggested fix. The researchers determined that some sites were not confirming that the information passed through AX was signed. That allows an attacker to modify the information. If the site is only using AX to receive low-security information like a users self-asserted gender, then this will probably not be a problem. However if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack.

There are no AX attributes that all providers are required to support, nor are there any (as far as I know) available from enough providers to "trust the identity provider" for. Even the basic ones like name and email address can't be relied upon.

Before you log in to a site using OpenID, if you have a decent provider (Google and Launchpad both do this; I don't know about others), it will tell you exactly what information the relying site is asking for, and what it's going to send to the relying party. I have yet to see a relying site that uses AX for anything other than my email address and sometimes my name. And once you register on a site using OpenID, the site will ask you for that information anyway using the AX attributes as default form values if they are available, since AX can't be relied on to provide the information. This "weakness" in OpenID only exists for relying sites that use AX for "information that it only trusts the identity provider to assert", which only exist in theory. Calling this a "serious remote bug" is a joke.

And most importantly, the summary doesn't make clear that even on the theoretical sites where this is an actual problem, your login and valuable personal information cannot be compromised by this vulnerability, because AX is not used for any of that. That is what a "serious remote bug" in OpenID would be.