Is OpenID secure?

OpenID, as the name suggest is an open identification solution, that helps for authentication with a single ID. There are thousands of websites that asks for authentication, and it is irritating register in all of them, creating an account for each with unique usernames and passwords. Most of the times, the requested username wont be available and users needs to come up with something new which is more likely that you forget it the next time you use the website. 

OpenID tries to solve this issue by providing one idetity provider, namely google, facebook or yahoo etc, to provide credentials for registering to a new website. The following steps describes how OpenID works in a step by step manner with an example.

Consider the three actors coming in the scenario:

  • Alice (end user)
  • Google (identity provider)
  • travelplan.com (consumer) – A website that helps you to make a travel plan.

 OpenID workflow:

  1.  Alice visits the website, travelplan.com, and finds that she needs to make an account to start using it. 
  2. Alice also finds an option to login using her gmail credentials. 
  3. She clicks on the “login using gmail” option.
  4. travelplan.com send a request to Google to verify the user Alice, and get the user identification details for Alice.
  5. Google checks for user, and prompts Alice to enter the credentials for her google account. 
  6. Here the password is not shared!!
  7. Once google identify the user, it asks for user’s authorization to allow the website, travelplan.com to use the identity details like name, emailId etc.
  8. If user clicks allow, then an authentication token is send to travelplan.com, that contains user identity details with which the user can proceed in travelplan.com 
[Ref: http://www.identityblog.com/?p=659%5D

The idea is really interesting due to the special feature that the user credentials like password is not shared with the consumer, the travelplan.com website. This makes life easier as you don’t have to remember usernames and passwords for hundreds of websites and can manages with one single identifier provider like Google or Facebook. But there are so many security issues related to this functionality of OpenID. Some of them are mentioned below:

Phishing attacks:

It is more likely that the websites could be a phishing site. Users could be redirected to malicious page containing what looks like a regular OpenID page. When user clicks on that, he/she might be redirected to another page that might look very similar to the user’s identifier’s page (eg:-Google, Facebook). If user enter the password of his Gmail account in this malicious page, he is at the risk of losing security over the n number of other websites that he had connected with OpenID and of course including the identifier site. 

Man in the middle attacks:

OpenID uses Diffie-Hellman which is subject to interception attacks. Thus the limitations and attacks possible on DH are all applicable to OpenID as well.

Denial of Service attacks:

In the steps mentioned above, we need to notice that there are two requests generated. One from user to website, another from website to the identifier provider. Thus there is a high chance for DoS attacks through OpenID if it is not handled properly in the implementation by providing delays in multiple requests coming from an IP, or other usual methods used to prevent DoS.

Session related atatcks: 

When a user used openID, there are many active authenticated sessions in his browser. So attacks like session swapping, CSRF, and XSS are possible, making your browser more vulnerable. 

Privacy breaching:

OpenID can cause a major blow to your privacy. Your OpenID provider can keep track of every single site that you log in using it. The protocol doesn’t provide a way to hide this information from the provider. 

 There are few other attacks like replay attacks, silent authentications also associated with OpenID. 

Thus, it is important to make sure that the user uses this openID, only for websites with minor information compromise, even if a security breaching happens. Also, it is more likely to have a good number of identifier providers, for eg:- a dummy email account, which could be used through OpenID to login to websites. That makes your life more secure in the cyber world. 

References:

[1] http://en.wikipedia.org/wiki/OpenID

[2]https://sites.google.com/site/openidreview/issues

[3] http://www.untrusted.ca/cache/openid.html

[4] http://wiki.openid.net/w/page/12995216/OpenID_Phishing_Brainstorm

Advertisements

19 thoughts on “Is OpenID secure?

  1. I am not sure where you are getting your info, but great
    topic. I needs to spend some time learning more or understanding
    more. Thanks for wonderful information I was looking for this information for my mission.

  2. You should consider this factor when you are searching for a Wo – W Leveling Guide.
    Advancing skillsets happens in real-time and is
    based not on experience points but your own knowledge and equipment
    in the game. This results in a structure that ends up working
    like a subscription.

  3. Oh my goodness! Impressive article dude! Thanks, However I am encountering difficulties with your
    RSS. I don’t understand why I cannot join it. Is there anyone else
    having identical RSS issues? Anyone who knows the solution will you kindly respond?
    Thanks!!

  4. My spouse and I stumbled over here different website and thought I may as well check things out.

    I like what I see so now i am following you. Look forward to checking out
    your web page again.

  5. Just want to say your article is as surprising. The clarity to your submit
    is just nice and that i could assume you are an expert on this subject.
    Fine along with your permission allow me to grab your
    feed to keep updated with forthcoming post. Thank you 1,000,000 and please continue the rewarding work.

  6. What’s Going down i am new to this, I stumbled upon this I’ve discovered It absolutely helpful and
    it has helped me out loads. I am hoping to contribute & assist
    different users like its helped me. Great
    job.

  7. This is very interesting, You’re an excessively professional blogger.
    I’ve joined your rss feed and stay up for in the hunt for extra of your fantastic post.
    Also, I have shared your website in my social networks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s