Some security advice for our OpenID users

With the recent news about the DNS cache vulnerability, users are more exposed than ever to potential security attacks, including phishing or pharming attacks, that apply to OpenID as well as other network systems. For example, the ability to redirect DNS requests through cache poisoning opens the door to a significant OpenID security risk: if the OpenID provider is not employing TLS with server-side authentication — preferably mutual authentication — any affected DNS server could redirect the client to a pharming site that looks like the user's real OP, but is not. If OpenID required transport and authentication over HTTPS, this would be less of a problem.

In order to limit the risk, we are advising the users of our OpenID@Work provider to make sure that they follow these guidelines, which might be useful for others, as well:
  • Make sure that you systems are fully patched.
  • Verify that the DNS server you use (usually provided by your ISP) is patched and not subject to DNS cache poisoning. You can verify this at Dan Kaminsky's web site. If you find that your ISP has not down their job, complain. Loudly.
  • Use certificate revocation lists. These list contain the serial numbers of revoked certificates and they can be easily consumed by most modern browsers. For the SunPKI list, just point your browser to http://www.sun.com/pki/pkismica.crl and make sure that your browser refreshes it regularly. Other companies have their own CRLs (e.g. Verisigns are here).
  • Be extra careful when accessing your authentication web site: openid.sun.com can easily be mistaken for open1d.sun.com or openid.sun.com.uk.

In addition, we recommend that Sun employees use the corporate VPN for all sensitive corporate business, and — obviously — not use the experimental OpenID@Work authentication service, or any OpenID authentication service, for anything of value.

UPDATE: The Sun PKI CRLs is also here, which is the official distribution point for Sun/Verisigns issued certificates. In addition, these certificate support OCSP verification at http://ocsp.verisign.com.

Ben Laurie and Robin Wilton also published information relating to the weaknesses of OpenID.

tags:

Comments:

Post a Comment:
Comments are closed for this entry.
About

beuchelt

Search

Categories
Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today