Re: [Savannah-users] OpenID security

[Davi Leal]

Hi Beuc,

Sylvain Beucler wrote:
> > Read http://en.wikipedia.org/wiki/OpenID#Security_and_phishing . Please
> > read references too. You ask for information, so read and understand all
> > them.
> >
> > That is because a private and encrypted communication channel (VPN) is
> > the best to avoid this issues.
> >
> > With the VPN you avoid man-in-the-middle attacks.  There are lot of
> > attacks paths being the basic one based on the DNS service weakness.  I
> > hope do not have to explain all the security involved knowled because it
> > is a lot to write.
>
> The wikipedia page mentions _phishing_ "man-in-the-middle" as an issue
> but says nothing about traditional/network man-in-the-middle
> attacks.

Traditional and not traditional attacks?  What do you like more, traditional 
or not traditional guns?  All then can kill you, and which ones matter are 
the ones which can kill you.  In the guns case, all them, if rightly used.

> I don't think a VPN helps in this case? 

I will not try to expose a point in favor of VPN because it it could be a 
waste of my time, instead I will waste your time asking: Why do you think a 
VPN does not help in this case?

Did you read and _understood_ all the references too?  Anyway, you are not 
forced to read the information I points, it would be even better you realize 
your _complete_ analysis.


> > Do you know any bank which offer OpenID as authentication mechanism?
> > Realize a good analysis please.
>
> BNP Paribas considers birth date as a confidential information for
> their "3D secure" system - they are not best examples.
> http://www.ecommerce404.fr/2008/09/3d-secure-et-les-differentes-banques/
>
> They are, too, vulnerable to phishing - but who isn't?

The more attacks paths the weaker the system is. This is a security principle.

Why using OpenID if using it mean we add more paths of attacks. Why not using 
a solution which does not add any additional path of attack?