9.11.2007

OpenID - New Threat or Misdirection?

My friend Ivan aimed me here. Suffice it to say this post (and its myriad of contributors) have illuminated OpenID's risks far better than could I.

But I have to ask, (this one's for you, Ivan), why ALL the incredible attention to OpenID, when the largest bank in the US continues to foist upon its customers commercial security snake oil that remains susceptible to MITM. It has now compounded its sins by adding "mobile authentication" as yet another mechanism by which you, the hapless victim, are "assured" your transaction is safe despite being routed through a man-in-the-middle.

The security principle violated in this "security technology" is the registration principle: Authentication requires prior registration of user and credentials in a channel distinct from the authentication channel. The registering of a "new" computer in the same channel as authentication occurs enables MITM - which this video demonstrates.

In "fairness," what do you, the user have to do wrong in order for this vulnerability to be exploited.
  1. User doesn't validate the SSL session (and associated certificate) of the site to which you're routed. If the user clicks-through the SSL warning (certificate not recognized or doesn't match URL) you've done wrong. But if you type https://www.bofa.com instead of https://www.bankofamerica.com you're browser will tell you the certificate might be bogus - but you'll "click-through" any way because it looks like BofA. Doesn't it?
  2. You enter your username but the site says it doesn't recognize your computer and asks you the name of your favourite poodle (or whatever challenge phrase you've established). You logged in with this computer yesterday, but what the heck - maybe BofA is confused. You respond "Fifi." You've done wrong. It didn't recognize you because you were communicating with a "zombie" which in turn was communicating with your bank as if it were you. You've just registered the "zombie" as an authorized device for your account and didn't even know it. Of course "adaptive security" will mitigate the number of accounts that are accepted from one zombie. But how many zombies are needed to clean out your account? (Answer: 1)
  3. After "re-registering" your computer, which might legitimately occur if you've cleaned your cookie cache for example, your bank shows you the picture of the emperor penguin you previously selected as your authenticating penguin. You believe this "proves" you're talking to your bank. You've done wrong. The lawyers will claim it DOES prove you're talking to your bank. The problem is that it DOESN'T PROVE you're not talking through a THIRD PARTY who has just acquired enough data to electronically transfer money out of your account to the max limit each day until either you notice strange withdrawals or you account is over drafted when your mortgage check hits.
How do you do right?
  1. Validate certificates in an SSL session. Check that your browser is using an SSL URL like https://... NOT http://... and that the certificate is recognized by the browser.
  2. Learn how SSL works. Talk to your friends about it. Discuss it at dinner with your kids. Bring it up at your church group. Don't expect others to know what you do not. There's nothing wrong with not knowing how to lock your door. But going on vacation while leaving your valuable inside without this knowledge is just foolish. Ask until someone can answer in a way you can understand.
SSL is neither convenient, simple, or consumable. But who ever said holding on to money was?

SSL can provide real security. That other stuff is a digital platitude of the deceptive kind.

Cheers!

No comments: