The Open Source Development Labs have merged with the Free Standards Group and, in a sudden fit of honesty, admitted that they were never really about open source or free standards by renaming themselves The Linux Foundation.
I do intend to write about mitigation at some point in the near future, but in the meantime points have been raised that I want to respond to.
First, the ridiculous (I hope there’s some sublime somewhere): HeresTomWithTheWeather says
criticizing the openid spec for not addressing phishing seems to be no different than criticizing the ip protocol because it doesn’t provide reliable, ordered data delivery.
Strangely, people want unreliable, unordered data delivery: it’s a useful service, unlike phishing. He goes on to say
this is old news. yawn.
So are murder and children starving to death.
Gary Krall says
A fair bit of time and consideration was given to some of the issues you raised here at VeriSign. Hans Granqvist drove alot of this in the use of Security Profiles.
and Hans Grinqvist whines (his own words, I promise)
There have been, since October 2006, a set of defined OpenID security profiles. The lion part of the profiles have been incorporated into the core spec.
Firstly, the really important stuff: Gary, its “a lot”, and Hans, “the lion’s share”. But seriously, if these address the phishing issue I’m obviously missing something major. From the security profiles document
By agreeing on one or several such security profiles, an OpenID relying party and identity provider can decide the security properties for their mutual OpenID communication before such communication takes place.
Phishing needs security between the identity provider (OP, actually, in OpenID parlance, I wish they’d be consistent) and the user. Can’t really see how security between the RP and the OP is going to address this. How about the “lion’s share” that’s gone into the main document?
A special type of man-in-the-middle attack is one where the Relying Party is a rogue party acting as a MITM. The RP would perform discovery on the End User’s Claimed Identifier and instead of redirecting the User Agent to the OP, would instead proxy the OP through itself. This would thus allow the RP to capture credentials the End User provides to the OP. While there are multiple ways to prevent this sort of attack, the specifics are outside the scope of this document. Each method of prevention requires that the OP establish a secure channel with the End User.
I think this is rather poorly expressed, but clearly describes the attack I have in mind. Almost consistently, it nearly punts on the issue. The one piece of information it adds: “each method of prevention requires that the OP establish a secure channel with the End User” strikes me as unsound, unless you take a rather wide view of the meaning of “secure channel”. There are, for example, zero-knowledge protocols that will not reveal any credentials to a man-in-the-middle, but do not require a secure channel for their execution. In any case, no useful advice is offered, despite claims to the contrary.
My friend, Adam Shostack, muses
It seems to me that if my local software knows who my ID providers are, rather than being told, then the problem goes away?
Indeed, but OpenID’s ground rules are that you should not need local software, and this is the nub of the issue.
Authentication on the web is broken, and has been for a long time. The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. Why else would Verisign be in this game, for example? Or, indeed, Microsoft? Or IBM, HP and T-Mobile?
This is the root of the problem: if you want to protect anything of value, you have to do better than existing Web solutions. You need better client-side software. In an ideal world, this would be a standard component of browsers, but it isn’t. Why? Well, the reason is fairly apparent: the best general way to handle this problem is through zero-knowledge proofs. SRP is an often-quoted example, but there are many simpler ones. However, various (already rich) greedy bastards have successfully blocked wide deployment of these protocols in a cynical attempt to profit from patents that (allegedly) cover them. Sad, I think, that the world continues to suffer whilst a few seek a drop in their ocean of money. Since these general (and, I should add, very simple) solutions cannot be deployed, we end up with purpose-specific plugins instead of general-purpose mechamisms.
Finally, if I might go all Slashdot on you for a moment, from the light-at-the-end-of-the-tunnel department, David Recordon of Verisign Labs (and an editor of the OpenID specs) says
we’d love to spend time working with you to figure out what it would take to resolve your issues with the spec. With that said, I really do think that it will come from browser plugins and such.
which is nice. I will accept.
OpenID announced the release of a new draft of OpenID Authentication 2.0 today. I’m reluctantly forced to come to the conclusion that the OpenID people don’t care about phishing, since they’ve defined a standard that has to be the worst I’ve ever seen from a phishing point of view.
OK, so what’s the problem? If I’m a phisher my goal is to be able to log in to some website, the Real Website, as you, the Innocent Victim. In order to do this, I persuade you to go to a website I control that looks like the Real Website. When you log in, thinking it is the Real Website, I get your username and password, and I can then proceed to empty your Paypal account, write myself cheques from your bank account, or whatever fiendish plan I have today.
So, why does OpenID make this worse? Because in the standard case, I (the phisher) have to make my website look like the Real Website and persuade you to go to it somehow – i.e. con you into thinking I am the real Paypal, and your account really has been frozen (or is that phrozen?) and you really do need to log in to unphreeze it.
But in the OpenID case I just persuade you to go anywhere at all, say my lovely site of kitten photos, and get you to log in using your OpenID. Following the protocol, I find out where your provider is (i.e. the site you log in to to prove you really own that OpenID), but instead of sending you there (because, yes, OpenID works by having the site you’re logging in to send you to your provider) I send you to my fake provider, which then just proxies the real provider, stealing your login as it does. I don’t have to persuade you that I’m anything special, just someone who wants you to use OpenID, as the designers hope will become commonplace, and I don’t have to know your provider in advance.
So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens.
I had hoped that by constantly bringing this up the OpenID people might take some step to deal with the issue, but they continue to insist on punting on it entirely:
The manner in which the end user authenticates to their OP [OpenID provider] and any policies surrounding such authentication is out of scope for this document.
which means, in practice, people will authenticate using passwords in forms, as usual. Which means, in turn, that phishing will be trivial.
I’ve been widely quoted as saying
“I would not trust my life or even my liberty to Tor”
in a New Scientist article on WikiLeaks. I said this because low-latency systems such as Tor are susceptible to traffic analysis by a strong adversary (such as, say, a government). If I were a dissident in a country with an evil government I would not rely on Tor to protect me from that government. Actually, I should rephrase that: if I were a dissident I would not rely on Tor to protect me.
This is not to say WikiLeaks expects you to rely on Tor, I was commenting in general about the security of Tor, not about the security of WikiLeaks (in the absence of a detailed design, I can’t comment on that).
The second Google London Open Source Jam is upon us! Here’s the invite
Following the success of the first ever Google London Open Source Jam you’ve been invited to the first Google Open Source Jam of 2007, taking place in our London engineering office, on the evening of Thursday January 18th, from 6pm to 9:30pm.
Interested? If this is the first time you are hearing about this event Read on.
If you already know what this is simply jump to the end and sign up to attend.
* What is it?
In a nutshell, it’s a pretty informal evening, we ask developers who have ideas or are already working on them to come and engage others to collaborate and code for your open source project. In a way, it will be like what goes on in the corridors, between sessions at a conference, except without the sessions. So you get to tell others about your idea and get new interested folks to work on your projects.
* Who is it for?
Anyone who wants to work on a fun project. You may have an idea and need more help or are already working on an open source project and want to work with others, or you’d like to get involved in a new open source project and meet like minded developers. Or perhaps you’ve got nothing better to be doing on a Thursday night than hanging around with a flock of opensourcerers and hack.
* What will be there?
Other interesting people to code with. A space to hang around in. Computers and wifi. Oh, and lots of delicious pizza.
* What will happen?
Some people may choose to present a 5 minute lightning talk on what they’re doing. Then little groups will form and people will work together on code! We’ll encourage contributing good things back to open source projects, or maybe the launch of new projects.
* What shall I bring?
The only thing you really need to bring is yourself. If you have a laptop you like to develop on, please bring that too.
* Why is it in the evening?
It’s intentionally on a school-night as that allows many people to attend who would struggle during the day because of their job commitments.
Important details :
* If you want to come, please RSVP by signing up on the Wiki at: http://www.red-bean.com/ospowiki/LondonOpenSourceJam01
* We have a LIMITED number of spaces available. We’ll be closing reservations as
soon as we hit that limit – sign up now!* Please let us know if you’ve signed up but can no longer attend as this will free up your space for someone else.
* If you know of someone else you think we should be inviting in the London area, please email us at zaheda@google.com
When : Thursday 18th January 2006. 6pm – 9:30pm.
Where: Google, Belgrave House 76 Buckingham Palace, Victoria, London SW1W 9TQWe look forward to seeing you,
I had a revelation about To Do lists.
Every now and then, I reach the point where I have so many immediate tasks that I start thrashing (which is a geek term for what happens when active tasks on a computer exceed its physical RAM capacity, so it spends its entire life swapping things to disk and back to RAM instead of actually doing anything). I’m particularly liable to this when some of the tasks are ones I don’t particularly want to do.
I have a natural tendency to thrash somewhat anyway (other people call it multitasking), so it usually takes me a little while to recognise when I’ve hit this problem. Once I do, I usually decide I need a To Do list. So, sometimes I waste some more time trying to figure out a better way of doing To Do lists, though these days I usually just use OmniOutliner. gtodo is also nice and lightweight, and I use that sometimes.
So, then I put all the things I’m thrashing on into whatever tool it is, prioritise them, and it stops me thrashing. Why? I suspect because once I know I’m not going to forget to do things I can then concentrate on whatever’s at the top of the list (I believe this is the theory behind that fantastically complicated system some people like to use for running their lives whose name I’ve forgotten right now). Anyway, after a while (usually months), I realise I’m thrashing again, and I repeat the whole process.
The fact I have to repeat the process obviously means that at some point I stop using the list. I never remember deliberately doing this, so I suspect I don’t. But why? And this is the revelation: because until my list of current urgent tasks reaches some level, I don’t need a list. Non-urgent tasks I never need a list for, it seems I remember them or they become irrelevant, and, despite the claims of users of the fantastically complicated system, remembering them doesn’t consume vast amounts of my brain.
Also, when I look at abandoned lists, I find they’re full of stuff I didn’t do in the end, and it doesn’t matter. I also find they’ve reached a length where clearly I’m never going to do many of the things on them, so its lucky I just kinda forget about them.
When I was a lot younger, I did once make a comprehensive list of everything I had to do on a project. I added up the time it would take and it came to 5 years. I threw the list away. To Do lists seem to always suffer this fate: they grow indefinitely, and eventually (or, in my case, quite rapidly) reach a size where their maintenance cost exceeds their benefit, as well as being, frankly, depressing. So, in short, I’m glad I forget them, but I wish I could recognise my occasional need for them a little sooner.
Incidentally…
I suspect WikiLeaks is going to be all over the web tomorrow, if it isn’t already.
WikiLeaks is developing an uncensorable version of WikiPedia for untraceable mass document leaking and analysis … We aim for maximum political impact; this means our interface is identical to Wikipedia and usable by non-technical people. We have received over 1.1 million documents so far.
Of course, the naysayers say it might be used for evil, and so it shouldn’t exist. The naysayers need to think about the terribly negative social impact of other tools that might be used for evil, like the pencil.
Business Week has an article about the consequences of “medical identity theft”
When Weaver was hospitalized a year later for a hysterectomy, she realized the amputee’s medical info was now mixed in with her own after a nurse reviewed her chart and said, “I see you have diabetes.” (She doesn’t.) With medical data expected to begin flowing more freely among health-care providers, Weaver now frets that if she is ever rushed to a hospital, she could receive improper care—a transfusion with the wrong type of blood, for instance, or a medicine to which she’s allergic. “I now live in fear that if something ever happened to me, I could get the wrong kind of medical treatment,” she says.
So, one of the things NHS Spine enthusiasts keep trying to sell us is how access to all this information will benefit us. Unless its someone else’s information, that is, in which case it might kill us instead. Until the Spine gives me a way to control the information it holds, I won’t be able to trust it.
I wrote recently about the EU claiming Linux video was illegal. When I wrote that, I also asked them why they thought that. Apparently it was a statement made in error, so they have revised the FAQ.
On which platforms can I view the live streaming media service of the Council of the European Union?
The live streaming media service of the Council of the European Union can be viewed on Microsoft Windows and Macintosh platforms.
OK, so now its not illegal, what possible reason could they have for not supporting free software? I’ve asked.
My ex-MP, Clive Soley, has a blog. In it, he displays his usual grasp of the important issues
Fine Dan. You opt out of the NHS system as is your proper right but don’t blame me if in an emergency you don’t get the right treatment quickly enough because they have to ask permission to get your record when your unconscious!
Anyone who has looked into this even a little bit knows perfectly well that A&E aren’t interested in your medical history, apart from any that’s drastic enough to make you carry a warning about your person. For which, of course, a central database is totally not required. Incidentally, I wrote to my GP asking her to opt me and my immediate family, which she did without any fuss (see “Big Brother Knows Best“).
In the same post, amazingly
DNA. Any state system of collecting information is always a balance between the usefulness of the information to the individual (see above) and to society and those aspects have to be set against any dangers to overall freedom. As I have already said collection of DNA seems to me to be fairly easily justified.
The advantages are :
1. A very useful way of avoiding some of the wrongful convictions we have seen in the past:
2. A strong deterrent for crimes of extreme violence especially rape and murder:
3. A way of increasing the speed at which an offender can be caught – think how many murders and rape cases in the past could have been cleared up quickly before further offences could be committed.
Funnily enough, there’s no corresponding list of disadvantages.
It reminds me of the one time I interacted with him as my MP. I wrote to him about trespass, which was, at the time, to be criminalised. His response? “Law-abiding citizens have nothing to fear”. Apart, that is, from the ones that were law-abiding yesterday and are criminals today. He also went on to respond to a number of points I had not raised, presumably because I was being fobbed off with a form letter for a campaign that was running at the time.
The EU thinks it can’t create open source compatible video
On which platforms can I view the live streaming media service of the Council of the European Union?
The live streaming media service of the Council of the European Union can be viewed on Microsoft Windows and Macintosh platforms. We cannot support Linux in a legal way. So the answer is: No support for Linux
WTF? Does anyone know why they think this? Anyway, in the meantime there’s a petition you can sign. I’m not in love with the petition website, but it can’t hurt, right?
I’m not even going to get into why the EU thinks the only platform other than ‘doze and MacOS is Linux…
Powered by WordPress