OpenID SSO Everywhere!

24 06 2008

UPDATE: In TechCrunch this morning there’s a post about Microsoft accepting OpenID for their HealthVault beta. They note that Microsoft is only utilizing 2 OpenID providers, TrustBearer and Verisign for authentication. The reason, of course, is security.

Healthvault is obviously a product that will store highly sensitive information and will likely be regulated in some ways. This simply reaffirms my concerns in this post from February. As a relying party of OpenID, you do not have the insight in to what security measures are taken into account for authentication. Microsoft had to perform their own due diligence and then make a manual determination on which providers they would rely on.

Simon Willison says this is a good thing in his latest blog post here. While I somewhat agree, I think the adoption of OpenID would become greater if there was a more programmatic approach to this. As a relying party, I would not want to perform due diligence on every provider out there and then limit my users based on a point-in-time review. Read more below regarding my earlier thoughts this year on meta data. Could it be that my crystal ball is actually working? :-)

Original Post ( 2/14/2008 ) Begins Here: Over the past few weeks OpenID has gained a lot of support and momentum from some very big sites. Last week the OpenID Foundation added Google, Microsoft, IBM, Verisign, and Yahoo! to its corporate board. A number of sites have come out supporting OpenID, mainly as identity providers. While it’s clear OpenID is getting a lot more support and use across the net, I would like to see more web applications ACCEPTING (relying party) OpenID. It seems much like the plethora of social sites cropping up on the web, everyone wants to be an identity provider and own the identity and profile data of the user.

So I’ve been meaning to dig deeper into OpenID for several months and write about my findings, but as usual my life had other priorities. After finally getting around to it, I must say I’m fairly impressed. Simon Willison has a great slidecast of his presentation last year at the Future Of Web Apps here. There were a number of ideas presented on various uses of OpenID that had not even crossed my mind. For those of you thinking OpenID = SSO (like the title of this entry), it’s so much more than that. I highly encourage you to watch the presentation.

That said, there are a few issues with OpenID. Some of them discussed by Simon at the end of his presentation.One that was not discussed that still bothers me is the lack of meta data about OpenID identity providers. One enhancement that I believe would really expand the use of OpenID across the web would be meta data associated with the identity provider. Right now, as a site that accepts OpenID, I have no ability to understand the authentication rules the user had to abide by with it’s identity provider.  While you may say, that’s up to the user to decide (and you’d be right, mostly), if I require a certain level of security for my web application for whatever reason, I would like to understand what rules the id provider made the user play by. Perhaps I am regulated on how my users authenticate to my application, this shouldn’t necessarily preclude me from accepting OpenID (it would today). If OpenID providers published meta data on the authentication rules, a site could then choose whether or not to accept the OpenID for authentication. Perhaps there could even be various security levels for OpenID providers (just thinking out loud). I could see an ecommerce site that stored additional sensitive information within a user profile to require a certain level of authentication rules from OpenID providers. Financial, trading, and tax sites would require even tighter rules.Right now the competition of the OpenID provider market should help. Users given a number of choices for providers can choose one that protects the user against phishing etc. (although given a choice, a user may choose a provider with less complex authentication rules).

Overall, OpenID is a really good idea, but I think it requires a few enhancements to expand its use beyond the social and email sites that seem to make up the majority of its use today. What do you think? Are you using OpenID today? I’d love to hear your thoughts in the comments section of this blog (which also acts as one of my OpenID’s, by the way) or send me an emal.

AddThis Social Bookmark Button


Comments : 1 Comment »
Tags: , , , , , ,
Categories : openid, security, sso

White List vs. Black List

17 06 2008

Jeremiah Grossman posted an entry on his blog yesterday about why most WAF’s are not currently implemented in blocking mode. To steal from Jeremiah who borrows from Dan Geer,

When you know nothing, permit-all is the only option. When you know something, default-permit is what you can and should do. When you know everything, default-deny becomes possible, and only then.”

I think both Jeremiah and Dr. Dan are right on with their analysis. In fact, I would take this a step further and say this is ultimately how developers end up deciding whether to use a black list or white list approach when doing things like input validation. If you cannot fully document and articulate EVERYTHING about your site(s), it becomes impossible to create a valid whitelist. While knowing and understanding the majority of your site allows you to create a fairly effective black list, and of course, if you know nothing about your site you must allow all and pray.

To read a much more in-depth explanation of how this plays out in security, check out Dr. Dan Geer’s book. He delves into one of this blog’s favorite topics, the economics of information security and the trade-offs associated with it. Happy Reading!

AddThis Social Bookmark Button


Comments : Leave a Comment »
Tags: , , , ,
Categories : application security, books, economics, security

Front Range OWASP Conference

23 05 2008

Quick reminder that registration is now open for the Front Range OWASP conference in Denver and it’s free. Conference page here. Register here.


Comments : Leave a Comment »
Tags: , , ,
Categories : event, security, speaking engagements

My New Browser!

15 05 2008

OK, well not quite, I’m going to need an OS X version before I fully switch… but this is REALLY good to see.

Some CS researchers (Chris Grier, Shuo Tang, and Samuel T. King) at the University of Illinois have designed a new browser from the ground up with security in mind. While the new versions of Firefox and IE are beginning to build more security on top of their existing software, they are fundamentally flawed. There is so much tied together with the existing browsers that the trust model is broken.

The number of threats that are at least partially due to how the internet browsers are built is getting ridiculous. Whether it is trust issues with plug-ins like Flash and RealPlayer, or domain policy issues that lead to cross site scripting, the number of these vulnerabilities and exploits are piling up. The mere fact that malware can be downloaded, installed and started simply by opening a web page with a browser is a great indication that the situation is completely out of hand. According to the paper, there were 205 reported security vulnerabilities within the major browsers and an additional 301 security vulnerabilities within various browser plug-ins within the past year. The current browsers, for all intents and purposes, are broken.

The OP web browser partitions itself into subsystems and enforces security policies within the small kernel. This is very much how operating systems are designed, which means that even if a plug-in is compromised, the browser is not. To quote the abstract:

“To show the utility of our browser architecture, we design and
implement three novel security features. First, we develop novel
and flexible security policies that allows us to include plugins
within our security framework. Our policy removes the burden
of security from plugin writers, and gives plugins the flexibility
to use innovative network architectures to deliver content while
still maintaining the confidentiality and integrity of our browser,
even if attackers compromise the plugin. Second, we use formal
methods to prove that the address bar displayed within our
browser user interface always shows the correct address for the
current web page. Third, we design and implement a browser-
level information-flow tracking system to enable post-mortem
analysis of browser-based attacks. If an attacker is able to
compromise our browser, we highlight the subset of total activity
that is causally related to the attack, thus allowing users and
system administrators to determine easily which web site lead to
the compromise and to assess the damage of a successful attack.”

The OP browser currently runs on Linux with KHTML as the layout engine. They plan to create a cross-platform Webkit version and release it to the open-source community. Perhaps Mozilla could help out with this project ;-) .

Go read the paper and let me know what you think.


Comments : Leave a Comment »
Tags: , , , ,
Categories : security, software

Two Places You Need To Be

18 04 2008

Register for both now. Hope to see you soon.

  1. The Front Range OWASP Conference
  2. The Workshop on the Economics of Information Security – 2008

AddThis Social Bookmark Button


Comments : Leave a Comment »
Tags: , , , ,
Categories : economics, event, security, speaking engagements

Rocky Mountain High

10 04 2008

I have signed up with the OWASP Denver and Boulder chapters to give the opening keynote at the Front Range Web Application Security Summit in June. This is turning into a great event. A lot of excellent speakers are going to be there including Robert Hansen (RSnake) and Mike Zusman.

I am honored to be included in such company and am very much looking forward to it. Watch the site for more updates as I hear rumblings of participation from some additional great web app sec speakers. If you find yourself in Denver on June 10th, definitely try and attend this one.

UPDATE: Jeremiah Grossman from Whitehat Security will be presenting on business logic flaws.

AddThis Social Bookmark Button


Comments : Leave a Comment »
Tags: , , , , , , , ,
Categories : event, security, speaking engagements

The Attackers Perspective

27 03 2008

Bruce Schneier has written a good commentary in Wired Magazine about the security mindset. I have talked about hiring information security people in the past, and how I believe the most important skill-set is not any specific technical attribute, but rather how the person thinks. A good security person thinks about the world differently. Just as many engineers grew up taking things apart to understand how they work, good security people often grow up thinking about how to make things perform in ways they were not intended to (or breaking them altogether). They easily see the flaws in everyday items and how to exploit them.

As Bruce writes, they are now attempting to teach this way of thinking at the University of Washington. I think this is a great idea. If this way of thinking becomes more common for graduates, the products they design and build once in the workforce will be much easier for us all to protect and rely on. It’s the difference between bolting on security as an after thought versus building it in as part of the product in the first place.


Comments : Leave a Comment »
Tags: , , , , ,
Categories : psychology, security

Security Now

20 03 2008

Special thanks to Ryan Huber for exposing this gem to me. The Security Now podcast with Steve Gibson and Leo Laporte is chock full of security technology goodness. Go check it out.
AddThis Social Bookmark Button


Comments : Leave a Comment »
Tags: , , ,
Categories : podcasts, security

More on Security Economics

12 03 2008

The European Network and Information Security Agency has released a study open for comment on the economic barriers to information Security found here.

To quote ENISA, The principal objectives of the report are:

 

  • To identify existing economic barriers for addressing Network and Information Security (NIS) issues in a single, open and competitive Internal Market for e-communication;
  • To assess these barriers’ potential impact on the smooth functioning of the Internal Market for e-communication;
  • To identify and analyse incentives (regulatory, non-regulatory, technical, educational, etc.) for lifting these barriers identified to cause distortion of the smooth functioning of the Internal Market for e-communication;
  • To provide a range of recommendations to relevant actors (decision-makers both at EU and national level, industry, academia, etc.) for policy options, possible follow-up actions and initiatives.

AddThis Social Bookmark Button


Comments : Leave a Comment »
Tags: , , , ,
Categories : economics, security

Panel: Security Best Practices

19 02 2008

I wanted to thank the Technology Executives Club for having me participate in their panel on Information Security Best Practices last month. It was a pretty diverse group each with a unique set of issues to deal with.

They just posted a webcast of the event on their site here. As usual, met a lot of interesting people and enjoyed myself thoroughly.

AddThis Social Bookmark Button


Comments : Leave a Comment »
Tags:
Categories : event, security, security management, speaking engagements

« Previous Entries Next Entries »


Follow

Get every new post delivered to your Inbox.