Is OpenID secure?

OpenID, as the name suggest is an open identification solution, that helps for authentication with a single ID. There are thousands of websites that asks for authentication, and it is irritating register in all of them, creating an account for each with unique usernames and passwords. Most of the times, the requested username wont be available and users needs to come up with something new which is more likely that you forget it the next time you use the website. 

OpenID tries to solve this issue by providing one idetity provider, namely google, facebook or yahoo etc, to provide credentials for registering to a new website. The following steps describes how OpenID works in a step by step manner with an example.

Consider the three actors coming in the scenario:

  • Alice (end user)
  • Google (identity provider)
  • travelplan.com (consumer) – A website that helps you to make a travel plan.

 OpenID workflow:

  1.  Alice visits the website, travelplan.com, and finds that she needs to make an account to start using it. 
  2. Alice also finds an option to login using her gmail credentials. 
  3. She clicks on the “login using gmail” option.
  4. travelplan.com send a request to Google to verify the user Alice, and get the user identification details for Alice.
  5. Google checks for user, and prompts Alice to enter the credentials for her google account. 
  6. Here the password is not shared!!
  7. Once google identify the user, it asks for user’s authorization to allow the website, travelplan.com to use the identity details like name, emailId etc.
  8. If user clicks allow, then an authentication token is send to travelplan.com, that contains user identity details with which the user can proceed in travelplan.com 

The idea is really interesting due to the special feature that the user credentials like password is not shared with the consumer, the travelplan.com website. This makes life easier as you don’t have to remember usernames and passwords for hundreds of websites and can manages with one single identifier provider like Google or Facebook. But there are so many security issues related to this functionality of OpenID. Some of them are mentioned below:

Phishing attacks:

It is more likely that the websites could be a phishing site. Users could be redirected to malicious page containing what looks like a regular OpenID page. When user clicks on that, he/she might be redirected to another page that might look very similar to the user’s identifier’s page (eg:-Google, Facebook). If user enter the password of his Gmail account in this malicious page, he is at the risk of losing security over the n number of other websites that he had connected with OpenID and of course including the identifier site. 

Man in the middle attacks:

OpenID uses Diffie-Hellman which is subject to interception attacks. Thus the limitations and attacks possible on DH are all applicable to OpenID as well.

Denial of Service attacks:

In the steps mentioned above, we need to notice that there are two requests generated. One from user to website, another from website to the identifier provider. Thus there is a high chance for DoS attacks through OpenID if it is not handled properly in the implementation by providing delays in multiple requests coming from an IP, or other usual methods used to prevent DoS.

Session related atatcks: 

When a user used openID, there are many active authenticated sessions in his browser. So attacks like session swapping, CSRF, and XSS are possible, making your browser more vulnerable. 

Privacy breaching:

OpenID can cause a major blow to your privacy. Your OpenID provider can keep track of every single site that you log in using it. The protocol doesn’t provide a way to hide this information from the provider. 

 There are few other attacks like replay attacks, silent authentications also associated with OpenID. 

Thus, it is important to make sure that the user uses this openID, only for websites with minor information compromise, even if a security breaching happens. Also, it is more likely to have a good number of identifier providers, for eg:- a dummy email account, which could be used through OpenID to login to websites. That makes your life more secure in the cyber world. 

References:

[1] http://en.wikipedia.org/wiki/OpenID

[2]https://sites.google.com/site/openidreview/issues

[3] http://www.untrusted.ca/cache/openid.html

[4] http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm

Advertisements