Some security advice for our OpenID users

With the recent news about the DNS cache vulnerability, users are more exposed
than ever to potential security attacks, including phishing or pharming attacks,
that apply to OpenID as well as other network systems. For example, the ability
to redirect DNS requests through cache poisoning opens the door to a significant
OpenID security risk: if the OpenID provider is not employing TLS with
server-side authentication — preferably mutual authentication — any affected
DNS server could redirect the client to a pharming site that looks like the
user’s real OP, but is not. If OpenID required transport and authentication over
HTTPS, this would be less of a problem.

In order to limit the risk, we are advising the users of our OpenID@Work
provider to make sure that they follow these guidelines, which might be useful
for others, as well:

  • Make sure that you systems are fully patched.
  • Verify that the DNS server you use (usually provided by your ISP) is
    patched and not subject to DNS cache poisoning. You can verify this at Dan Kaminsky’s web site. If you find that your ISP has not down their job, complain. Loudly.
  • Use certificate revocation lists. These list contain the serial numbers of revoked certificates and they can be easily consumed by most modern browsers. For the SunPKI list, just point your browser to http://www.sun.com/pki/pkismica.crl and make sure that your browser refreshes it regularly. Other companies have their own CRLs (e.g. Verisigns are here).
  • Be extra careful when accessing your authentication web site: openid.sun.com can easily be mistaken for open1d.sun.com or openid.sun.com.uk.

In addition, we recommend that Sun employees use the corporate VPN for all
sensitive corporate business, and — obviously — not use the experimental
OpenID@Work authentication service, or any OpenID authentication service, for
anything of value.

UPDATE: The Sun PKI CRLs is also here, which is the official distribution point for Sun/Verisigns issued certificates. In addition, these certificate support OCSP verification at http://ocsp.verisign.com.

Ben Laurie and Robin Wilton also published information relating to the weaknesses of OpenID.

tags:

Leave a Reply

Your email address will not be published. Required fields are marked *