Search Discussions

100 discussions - 1,268 posts

  • Hi, php-openid library treats %0A/%0D characters in hostname of an openid endpoint URL as valid and decodes them into special characters \r\n right before making a discovery request to that ...
    Dec 26, 2014 at 12:59 am
    Dec 26, 2014 at 4:06 am
  • Tim, Actually it look bad. That configuration includes "jwks_uri": "https://www.googleapis.com/oauth2/v2/certs", That JWK has two key. Calling raw keys ?certs? is a curious choice. Both keys are ...
    Manger, JamesManger, James
    Mar 18, 2014 at 6:47 am
    Mar 18, 2014 at 6:47 am
  • OpenID Connect Core 1.0 section 7 "Self-Issued OpenID Provider" looks quite insecure. The subject identifier "sub" (that RPs will use as the identifier for an account) is calculated from a hash of ...
    Manger, JamesManger, James
    Feb 25, 2014 at 6:48 am
    Mar 4, 2014 at 3:49 am
  • Hello list, it has come to my attention that this:?http://www.ubercomp.com/posts/2014-01 -16_facebook_remote_code_execution (http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution)? ...
    Jan 28, 2014 at 4:47 pm
    Jan 28, 2014 at 4:47 pm
  • Hi Everyone, Google's Security Team suggested to ask this question here. Attacker can perform the following steps: 1) Find an open redirect in some major website that leads to attacker's website (and ...
    Andris AttekaAndris Atteka
    Dec 21, 2013 at 9:12 am
    Jan 2, 2014 at 10:17 am
  • -- Alvin Santiago An HTML attachment was scrubbed... URL: <http://lists.openid.net/pipermail/openid-security/attachments/20131123/342bde3e/attachment.html
    Alvin SantiagoAlvin Santiago
    Nov 23, 2013 at 9:29 pm
    Nov 23, 2013 at 9:29 pm
  • OpenID 2.0 RPs that allow unsolicited assertions (which Just Works by default for proper OpenID implementations, it seems to me) seem to be vulnerable to an attack. Can anyone confirm or deny what ...
    Andrew ArnottAndrew Arnott
    Oct 27, 2012 at 12:16 am
    Oct 27, 2012 at 3:08 am
  • Hi -- I'm using python-openid for my RP and Google Marketplace wanted to make sure this implementation is not vulnerable to spoofed, non-signed attributes such as email addresses. See ...
    Mike SunMike Sun
    Jul 27, 2012 at 1:54 am
    Jul 27, 2012 at 5:52 pm
  • It seems to me that protecting an RP's return_to URL from XSRF requires effectively breaking the reception of unsolicited assertions. Because in fact an unsolicited assertion is a message from ...
    Andrew ArnottAndrew Arnott
    Jul 5, 2012 at 1:56 pm
    Jul 5, 2012 at 1:56 pm
  • Hi, I would like to know if there is something coming in the specification about the logout/timeout. If I use an external OpenID provider for authentication in my application, how I can be sure, when ...
    Sylvain GilbertSylvain Gilbert
    May 4, 2011 at 6:40 pm
    May 6, 2011 at 1:42 pm
  • I wanted to expand the scope of the recent email address as primary identifier exploit and call out the caution so that folks who are currently fixing their RPs can also be aware of another issue to ...
    Andrew ArnottAndrew Arnott
    Apr 21, 2011 at 2:37 pm
    Apr 21, 2011 at 2:37 pm
  • http://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular The browser venders blocking ...
    John BradleyJohn Bradley
    Mar 24, 2011 at 2:09 pm
    Mar 31, 2011 at 2:08 am
  • ???????????? ???????????????? ????????????? ?????????? ???????????????? ???? ??????????, ?????????? ?????? ???????????????? ???????????????? ???? ???? ???????????????????? ???????????????????????? ...
    Nov 25, 2010 at 1:21 am
    Nov 25, 2010 at 1:21 am
  • ?????????? ???????? ???????? ???? ???????????? ?????????????????????????? ???????????? ?? ?? ??????????????, ?????????????? ???????????????? ???????????????? ?? ???????? ???????????????? ???? ...
    Nov 24, 2010 at 8:46 pm
    Nov 24, 2010 at 8:49 pm
  • Hello, I still can not reach final decision about relation between max_auth_age and requested policies, the more I read specification the more confused I am. Especially I do not know what is proper ...
    Vlastimil ZímaVlastimil Zíma
    Sep 17, 2010 at 1:33 pm
    Sep 17, 2010 at 1:33 pm
  • Every OpenID implementation I have checked this far has contained timing dependent compares in the HMAC verification, allowing a remote attacker to forge valid tokens. In JOpenId: There is a timing ...
    Taylor NelsonTaylor Nelson
    Jul 13, 2010 at 8:32 pm
    Jul 17, 2010 at 9:01 pm
  • Hello, I have implemented the sample code for the relying party and the provider of the OpenID4Java implementation into three web applications (two RPs and one OP) The redirect and the authentication ...
    Benedikt SchröfelBenedikt Schröfel
    Apr 30, 2010 at 2:24 pm
    Apr 30, 2010 at 2:24 pm
  • Hello everyone, I have few queries that I need to ask , What are the security concerns that should be kept in a mind while developing your own Open ID provider and what are the ways to check all the ...
    Jaideep KhandelwalJaideep Khandelwal
    Mar 23, 2010 at 11:36 am
    Mar 24, 2010 at 12:48 am
  • Looking at the OpenID best practices (http://test-id.org/RP/IgnoresContentLocationHeader.aspx) , I see one part of interest: OpenID Providers are highly recommended to issue HTTPS Identifiers to ...
    Jacob BellamyJacob Bellamy
    Dec 8, 2009 at 10:48 pm
    Dec 9, 2009 at 11:25 pm
  • I have some concerns about OpenID, and I would like to see what those involved think about them. It seems to me that, regardless of how OpenID is deployed, it is always possible for an OpenID ...
    Shearer, Charles DylanShearer, Charles Dylan
    Dec 8, 2009 at 12:47 am
    Dec 11, 2009 at 5:18 am
  • Just a heads up from something I recently became aware of that impacted older versions of dotnetopenid. The HTTP protocol defines a Content-Location HTTP response header that allows the web server to ...
    Andrew ArnottAndrew Arnott
    Nov 4, 2009 at 5:45 pm
    Nov 16, 2009 at 9:38 pm
  • Apparently, I'm supposed to this mailing list from this email address. See below. Adam
    Adam BarthAdam Barth
    Nov 2, 2009 at 7:41 pm
    Nov 2, 2009 at 7:41 pm
  • Hi all, Sorry I'm not very knowledgeable on everything that's network related, therefore I apologize if my question is stupid. We're trying to implement a webservice that queries our system for which ...
    Anthony BrassacAnthony Brassac
    Oct 13, 2009 at 4:07 pm
    Oct 20, 2009 at 6:34 am
  • Allen, There is nothing in the PAPE spec about the OP verifying that auth_age < max_auth_age before returning the assertion. That could lead to a deadlock situation. You and others may see a value in ...
    John BradleyJohn Bradley
    Jul 1, 2009 at 9:26 am
    Jul 1, 2009 at 4:30 pm
  • Many websites require users who are already authenticated to re-verify their password before entering a sensitive area. For instance, retailers like Amazon allow users to browse their website in a ...
    Allen TomAllen Tom
    Jun 30, 2009 at 9:23 pm
    Jul 7, 2009 at 11:04 pm
  • Hi All, I believe that everything in the Security Best Practices document has already been discussed publicly, except for the checkid_immediate "open redirector" issue listed in the OP Best Practices ...
    Allen TomAllen Tom
    Jun 8, 2009 at 2:11 pm
    Jun 14, 2009 at 9:18 pm
  • Hi All, As part of the OpenID 2.1 Working Group proposal, I've been nominated to edit the OpenID Security Best Practices document, which will be a living document that contains security related best ...
    Allen TomAllen Tom
    Jun 8, 2009 at 2:03 pm
    Jun 9, 2009 at 7:59 pm
  • Hi. NIST (National Institute of Standards & Technology in the US) maintains a series of documents describing how government security technology must be evaluated and implemented. One of the primary ...
    Nat SakimuraNat Sakimura
    May 12, 2009 at 1:31 am
    May 12, 2009 at 8:31 am
  • I've been trying to go from "reasonable security" to "maximum security", and it's driving me up the proverbial wall. Spoofing (of DNS), where SSL is absent, has two forms that I can see: one is to ...
    SitG AdminSitG Admin
    May 8, 2009 at 4:27 am
    May 8, 2009 at 8:30 pm
  • What measures have you implemented to prevent your own database from being hacked? I did not notice any major banks or government bodies ( IE my really important data) using open id, why is this? ...
    Apr 20, 2009 at 9:02 am
    Apr 20, 2009 at 10:13 am
  • Help Unsubscribe VON Reporting Specialist Phone: 802-865-4814, ext. 209 Fax: 802-865-9613 -----Original Message----- From: security-bounces at openid.net [mailto:security-bounces at openid.net] On ...
    Jennifer MichelleJennifer Michelle
    Feb 10, 2009 at 12:02 pm
    Feb 10, 2009 at 8:02 pm
  • Dear all, I recently started working upon making my site openid enabled. when i was having a talk with my friend abt this, he pointed a series of articles in the internet which describe the ...
    Balasubramanian GBalasubramanian G
    Feb 9, 2009 at 11:02 am
    Feb 10, 2009 at 5:49 pm
  • I have added all the OIDF Security Committee members to this list so that much of our conversation can happen here. Unfortunately, the material we are using right now is not allowed to be ...
    Nat SakimuraNat Sakimura
    Jan 21, 2009 at 4:39 pm
    Jan 22, 2009 at 12:39 am
  • Nice to meet you. The controversial phishing issue may be resolved by the following mechanism. With a prescribed mark embedded in a page (like RSS), a Relaying Party (RP) notifies the user and ...
    Sep 17, 2008 at 4:30 am
    Sep 18, 2008 at 3:39 pm
  • Here's my concern: what about sites such as ISP's that aren't providing mass content publication as a service, but merely happen to include "100MB web page at www.oursite.com/~yourusername!"? The ...
    SitG AdminSitG Admin
    Sep 4, 2008 at 12:43 pm
    Sep 5, 2008 at 4:40 am
  • Security Advisory (08-AUG-2008) (CVE-2008-3280) =============================================== Ben Laurie of Google's Applied Security team, while working with an external researcher, Dr. Richard ...
    Ben LaurieBen Laurie
    Aug 8, 2008 at 3:50 am
    Aug 12, 2008 at 2:42 pm
  • (Slightly modified from the version posted to general@; SSH isn't necessary, introducing a web-based interface may expose the site to that attack avenue, but if the interface is tightly restricted to ...
    SitG AdminSitG Admin
    May 31, 2008 at 4:21 am
    May 31, 2008 at 4:21 am
  • Have you seen, that there will be an international identity conference in Switzerland in two weeks? The fourth European conference "Net-ID 2008 - Identity, Trust, Privacy and Security in Europe" ...
    Stefanie GeuhsStefanie Geuhs
    Feb 18, 2008 at 9:27 am
    Feb 18, 2008 at 9:27 am
  • Hi, Here are some first thoughts on OpenID 2.0/d12. I'm not sure if I'm sending them to the correct email address. Feel free to forward elsewhere if needed. Also, I've not yet much experience writing ...
    Jose KahanJose Kahan
    Nov 23, 2007 at 10:23 am
    Nov 23, 2007 at 7:32 pm
  • Recently this definition of Phishing-Resistant Authentication was proposed: Given the rise of nasty MITM malware, I hope that we all agree that PAPE is not intended to protect the user from malware ...
    Dick HardtDick Hardt
    Nov 20, 2007 at 1:32 pm
    Nov 20, 2007 at 9:32 pm
  • There was a question on IRC a few nights ago that I couldn't answer and has since been bugging me. I was hoping somebody here would be able to clarify this for me... In reply to an authentication ...
    Trevor JohnsTrevor Johns
    Nov 16, 2007 at 3:10 pm
    Nov 18, 2007 at 10:36 pm
  • Hi all I've created another article to help with OpenID security:- <http://www.thespanner.co.uk/2007/10/17/openid-account-security/ This one discusses account security and raises some points that ...
    Oct 17, 2007 at 1:36 am
    Oct 17, 2007 at 8:36 am
  • Hi all I've create a proof of concept which highlights the problem of single sign on providers not providing iframe protection and remembering the password. The demo uses a Verisign account (It was ...
    Oct 15, 2007 at 9:02 am
    Oct 23, 2007 at 8:12 pm
  • Hi all I've done a article on CSRF protection (with demos) which may help you develop your OpenID site. I found many of your sites to be very open to CSRF attacks so please take the time to review my ...
    Aug 23, 2007 at 1:37 am
    Aug 23, 2007 at 8:37 am
  • Hi list, I just had a really fertile talk with Eddy about "IdP reputation", during which I came up with a couple of ideas which I found sound enough to be shared with the community: 1. If an RP is ...
    Dmitry ShechtmanDmitry Shechtman
    Jul 19, 2007 at 6:31 am
    Jul 21, 2007 at 10:14 pm
  • Hi all again I have also released details of a Safari beta vulnerability:- www.thespanner.co.uk/2007/06/29/safari-same-origin-hole/ Basically the document.domain property can be manipulated on IE6, ...
    Jun 29, 2007 at 3:09 pm
    Jun 29, 2007 at 3:09 pm
  • Hi all I have decided to release details of the MyOpenID poc which is available at :- http://www.thespanner.co.uk/2007/06/29/openid-security-issues/ The POC no longer works because MyOpenID fixed the ...
    Jun 29, 2007 at 3:03 pm
    Jun 29, 2007 at 3:03 pm
  • Hi list, i am currently implementing (trying to do so) a firefox extension to prevent phishing. Please direct me to somewhere else if there is a better place to discuss this. I would like to actively ...
    Boris ErdmannBoris Erdmann
    May 11, 2007 at 7:59 am
    May 11, 2007 at 3:12 pm
  • Hi all I have been thinking about 2 possible flaws with OpenID providers, I haven't had time to test any of them however because I've started work on another project. Now they might not even exist or ...
    Apr 17, 2007 at 2:26 am
    Apr 18, 2007 at 9:48 am
  • Hi all I would just like to make this important point as some OpenID servers do not use form tokens at all. Any OpenID server not using some kind of one time form token is insecure. You are creating ...
    Apr 12, 2007 at 3:31 am
    Apr 13, 2007 at 5:43 am
Group Navigation
period‹ prev | Latest | first ›
Group Overview
groupopenid-security @

Top users

Eddy Nigg (StartCom Ltd.): 106 posts SitG Admin: 61 posts Allen Tom: 61 posts Gaz_sec: 58 posts Dick Hardt: 52 posts Dan Lyke: 48 posts James A. Donald: 46 posts Ben Laurie: 46 posts Josh Hoyt: 40 posts Recordon, David: 40 posts Martin Atkins: 38 posts John Bradley: 34 posts Dmitry Shechtman: 32 posts Andrew Arnott: 30 posts Chris Drake: 26 posts Pete Rowley: 22 posts Nate Klingenstein: 22 posts Granqvist, Hans: 20 posts Marcin Jagodziński: 18 posts John Bradley: 18 posts
show more