Some security advice for our OpenID users
By beuchelt on Aug 07, 2008
In order to limit the risk, we are advising the users of our OpenID@Work provider to make sure that they follow these guidelines, which might be useful for others, as well:
- Make sure that you systems are fully patched.
- Verify that the DNS server you use (usually provided by your ISP) is
patched and not subject to DNS cache poisoning. You can verify this at Dan Kaminsky's web site. If you find that your ISP has not down their job, complain. Loudly.
- Use certificate revocation lists. These list contain the serial numbers of revoked certificates and they can be easily consumed by most modern browsers. For the SunPKI list, just point your browser to http://www.sun.com/pki/pkismica.crl and make sure that your browser refreshes it regularly. Other companies have their own CRLs (e.g. Verisigns are here).
- Be extra careful when accessing your authentication web site: openid.sun.com can easily be mistaken for open1d.sun.com or openid.sun.com.uk.
In addition, we recommend that Sun employees use the corporate VPN for all sensitive corporate business, and — obviously — not use the experimental OpenID@Work authentication service, or any OpenID authentication service, for anything of value.
UPDATE: The Sun PKI CRLs is also here, which is the official distribution point for Sun/Verisigns issued certificates. In addition, these certificate support OCSP verification at http://ocsp.verisign.com.