savannah-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] OpenID security


From: Sylvain Beucler
Subject: Re: [Savannah-users] OpenID security
Date: Sat, 1 Aug 2009 08:53:45 +0200
User-agent: Mutt/1.5.20 (2009-06-14)

Hi,

> > - when things are moving off-topic, please change the subject
> 
> I was not talking about single sign-on, [...]

But not about the original topic either - how hair-splitting.

> Read http://en.wikipedia.org/wiki/OpenID#Security_and_phishing . Please read 
> references too. You ask for information, so read and understand all them.
> 
> That is because a private and encrypted communication channel (VPN) is the 
> best to avoid this issues.
> 
> With the VPN you avoid man-in-the-middle attacks.  There are lot of attacks 
> paths being the basic one based on the DNS service weakness.  I hope do not 
> have to explain all the security involved knowled because it is a lot to 
> write.

The wikipedia page mentions _phishing_ "man-in-the-middle" as an issue
but says nothing about traditional/network man-in-the-middle
attacks. I don't think a VPN helps in this case?

> Do you know any bank which offer OpenID as authentication mechanism? Realize 
> a 
> good analysis please.

BNP Paribas considers birth date as a confidential information for
their "3D secure" system - they are not best examples.
http://www.ecommerce404.fr/2008/09/3d-secure-et-les-differentes-banques/

They are, too, vulnerable to phishing - but who isn't?

-- 
Sylvain




reply via email to

[Prev in Thread] Current Thread [Next in Thread]