On 6/5/07, Nic James Ferrier <[EMAIL PROTECTED]> wrote:
"Christopher Woods" <[EMAIL PROTECTED]> writes:
> I run my own PHP OpenID server on another of my domains
> (christopher.woods.name - I bought it and failed to have a use for it until
> suddenly I realised it'd make the perfect domain for an OpenID identity :)
>
> However, I've noted that there's already been issues raised amongst the
> blogosphere (and web in general) about security vulnerabilities within the
> authentication mechanism for OpenID, and several proof of concepts have been
> published showing how an attacker can spoof an ID and therefore become
> logged in to any OpenID-based services... I wouldn't really want the BBC to
> solely rely on something like vanilla OpenID where it's already been shown
> to be broken.
What security holes?
I think that what's being referred to is that with some
implementations of OpenID, it's possible to do a replay attack. There
are several libraries which prevent such an attack now (JanRain is
probably the most popular, and uses nonces to prevent replay attacks).
If something else is being referred to, my apologies. :)
- Ciaran.
-
Sent via the backstage.bbc.co.uk discussion group. To unsubscribe, please
visit http://backstage.bbc.co.uk/archives/2005/01/mailing_list.html.
Unofficial list archive: http://www.mail-archive.com/backstage@lists.bbc.co.uk/
