[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] OpenID security
|
From: |
Sylvain Beucler |
|
Subject: |
Re: [Savannah-users] OpenID security |
|
Date: |
Sat, 1 Aug 2009 08:53:45 +0200 |
|
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Hi,
> > - when things are moving off-topic, please change the subject
>
> I was not talking about single sign-on, [...]
But not about the original topic either - how hair-splitting.
> Read http://en.wikipedia.org/wiki/OpenID#Security_and_phishing . Please read
> references too. You ask for information, so read and understand all them.
>
> That is because a private and encrypted communication channel (VPN) is the
> best to avoid this issues.
>
> With the VPN you avoid man-in-the-middle attacks. There are lot of attacks
> paths being the basic one based on the DNS service weakness. I hope do not
> have to explain all the security involved knowled because it is a lot to
> write.
The wikipedia page mentions _phishing_ "man-in-the-middle" as an issue
but says nothing about traditional/network man-in-the-middle
attacks. I don't think a VPN helps in this case?
> Do you know any bank which offer OpenID as authentication mechanism? Realize
> a
> good analysis please.
BNP Paribas considers birth date as a confidential information for
their "3D secure" system - they are not best examples.
http://www.ecommerce404.fr/2008/09/3d-secure-et-les-differentes-banques/
They are, too, vulnerable to phishing - but who isn't?
--
Sylvain
- Re: [Savannah-users] OpenID security,
Sylvain Beucler <=