Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: OpenID and the web

from [David Wall] Network Security [Permanent Link]
Subject: Re: OpenID and the web
Date: Tue, 25 Mar 2008 14:09:02 -0700

I think you'll see more OpenID support than Passport and Lib Alliance. Check http://openiddirectory.com/ for some of the sites and providers. Also, check out Verisign labs (http://pip.verisignlabs.com). 

Let's hope so since there was no widespread adoption of the prior ones.


A nice, easy, multi-factor solution for using OpenID is to use the Verisign provider and a Paypal security key. When you login to an OpenId enabled site, you'll go to the Verisign site and have to login with the security key.
Sounds fine, but who's really going to adopt the key so it's more meaningful than for paypal/ebay users, few of whom really care whether there's a key or not to sell their collectible cards or other used trinkets.


An argument for OpenID with clients is that they are not responsible for authentication, Verisign or an authorized provider is now responsible for authentication. And the 2 factor authentication now can be used at my clients website for a $5 paypal key.
I see that this would be useful to me as a web site that would like to have such authentication for "free," but why would Verisign/Payapl want to do such authentication for others for free? Can they sell advertising for an authentication check, or will they attempt to charge using companies in the future for such checks? It may even lead to litigation, despite contract terms, that suggest if they "vouch" for the authentication that they'll somehow be blamed for the scam.

And it seems that scammers will just use phishing sites to collect this info, and then use the same two factors to try to scam the real web site -- as long as they do it within 30 seconds, a time that's reasonable for any electronic scam (there's no need to pause).

I've not heard of anybody actually using the $5 paypal key. It's not to say nobody does, just the original question was about any uptake we've seen, and I simply replied that we've not see any, nor have any of our customers/users requested it (yet).

David


-------------------------------------------------------------------------
Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenID and the web, David Wall
Next by Date:  Re: OpenID and the web, Adrian Migraso
Previous by Thread:  Re: OpenID and the web, David Wall
Next by Thread:  Re: OpenID and the web, Adrian Migraso
Indexes:  [Date] [Thread] [Top] [All Lists]