Messaging News - June 2008 - (Page 32)

ON MESSAGE increasing numbers of large service providers are also OpenID Providers. However, numbers for actively used OpenIDs are hard to come by. As noted above, part of the problem is that the majority of high-profile OpenID Providers (AOL, Microsoft, and Yahoo!) are only providers and not Relying Parties. While these services are happy to let other sites authenticate against their infrastructure with IDs that they issue, they do not allow users with OpenIDs from other providers to authenticate to their infrastructure. These are about as Six Apart makers of TypePad, LiveJournal (since sold), and Moveable Type, during the outage all OpenIDs associated with the LiveJournal service became unavailable. Similarly, with a recent DNS outage on my own server, all services associated with the OpenID hosted on my domain became unavailable. This is a sobering thought. While most mainstream consumer services have extremely high uptimes, recently there have been a number of high profile failures. A failure with the service hosting your OpenID would cause all OpenID security—in particular protection from phishing attacks—still needs significant development. useful as a new credit card, with attractive rates, that few merchants will accept. In a sense OpenID competes with a host of other frameworks, protocols, systems, and standards such as SAML, the WS-* services, LDAPbased authentication, Kerberos, and RADIUS. Most of these are running in production services with large active user-bases. While OpenID has a number of security and privacy problems that it needs to overcome, one of the most urgent is providing greater protection from phishing attempts to OpenID users. One major risk of SSO systems is that a compromised account may result in the attacker having access to multiple systems beyond the compromised individual service. In some ways, this is only incrementally worse than existing practice, as people tend to have just a few passwords and use the same passwords for similar types of services. Limited numbers of passwords combined with usernames— which increasingly are simply email addresses—lead to a situation where a compromised account could easily be used on multiple services. OpenID will become an increasingly vulnerable target unless there is improvement to OpenID’s limited protection from phishing attacks. Growing Risks Since OpenID is a distributed SSO system, the provider with the weakest security puts all Relying Parties at risk. For example, any provider or Relying Party that is compromised or even vulnerable to Cross Site Scripting (XSS) attacks, Cross-Site Request Forgeries (CSRF) could also be used to compromise users logins. There are significant privacy risks as OpenID Providers potentially engage in large-scale tracking by maintaining a list of every site that the user authenticates to via OpenID. Another risk of SSO systems, even distributed ones such as OpenID, is that they can be a single point of failure. For example, when a power outage at 365 Main colocation facility forced many sites offline, including of your OpenID enabled logins to fail as well. This risk will grow as OpenID adoption grows. Again, this risk is not inherent to OpenID alone, however it should be a consideration when choosing whether or not to rely on any SSO and when choosing a SSO service. In order to improve adoption rates, many OpenID enabled sites need to improve the usability of logging in with OpenID for end-users. First, most users are comfortable with service specific usernames even if they do find creating new credentials for each service cumbersome. Increasingly, services make use of an existing email address for the user identifier in order to avoid the problem of users finding a unique username for each service. OpenID logins often require the user to click through to a secondary login page on the service, thus requiring more effort than the standard login. Although the process may be slightly simplified, many OpenID enabled services still require an account creation process to attach local data to the external OpenID. OpenID is facing an uphill battle with both consumer recognition, as well as convincing users that the OpenID framework provides enough benefit to warrant learning new behaviors. OpenID is clearly gaining in adoption and importance. Currently, OpenID is both too lightweight for enterprise identity management and too insecure for sites with financial or other highly sensitive data. Some of the current problems will be mitigated by OpenID extensions and new more secure mechanisms for OpenID authentication and improved phishing protection. Businesses, especially those with consumer Web-based services, would do well to familiarize themselves with the technology and pay attention to its progress. BG/TMP FOR YOUR REFERENCE OpenID http://openid.net/ 32 MESSAGING NEWS JUNE 2008 http://openid.net/

Table of Contents Feed for the Digital Edition of Messaging News - June 2008

Messaging News - June 2008 Editor’s Note Short Takes Classification & Retention Spam: Bigger, Faster, and More Dangerous Bad Behavior and Today’s Reputation Analysis The Changing Locus of Collaboration Serving Up Managed and Hosted Messaging Solutions “On Message” with Ben Gross SCAP Standard Benefits Both Government and Commercial Space Making the Case Learn More

Messaging News - June 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.