The "No Network is 100% Secure" series
- OpenID -
A White Paper
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
What is OpenID?: OpenID is an open standard that allows users to authenticate
(log in) to websites without having to register and create a new account and password
for each site. OpenID is similar to LDAP, NIS, Banyan StreetTalk, Active
Directory Domain Controller and so on that were created decades ago to allow a central
login facility for computing network users. OpenID does essentially the same thing
but for the entire Internet.
Why is OpenID important?: Previously, any time you wanted to apply for a job, post a review and in many cases just visit a web site, you were required to create an account. This meant providing a user name and password that you had to remember. You also had to provide an e-mail address that was frequently spammed and sometimes sold to spammers depending on the trustworthiness of the site. Some sites required numbers and special characters for username and password selections. Other sites did not permit them! What a pain! Moreover, if you use the same password for multiple accounts, as many people do, stealing your password meant that a hacker could do all kinds of damage. And on many sites, obtaining someone's password through trickery is just not that difficult to do. Breaking into Sara Palin's Hotmail account while she was running for Veep was a fairly bush league hack.
OpenID eliminates all of that by implementing a single, centralized, highly secure set of login credentials. Some web site operators still require providing e-mail addresses and so on during the login process, but OpenID can be set to immediately delete any and all information you provide. Sort of like the common practice of automatically deleting cookies when the browser is closed. And importantly, all of this information is being transmitted via very secure SSL.
The OpenID technology also supports various additional authentication methods for the truly paranoid, such as trusted digital identification certificates, tokens and so on. Over the next few years I would expect some type of biometric authentication to become a standard way of life for ID verification and perhaps even when just surfing the web.
What are the security risks when using OpenID?: It's still early and OpenID will certainly make a juicy target for hackers if it really takes hold as I expect it will. Time will tell just how secure and how hack-proof this new methodology is going to be. But based on my initial investigation and testing, OpenID seems to be better and safer than the present practice of creating individual accounts on numerous web transaction servers and hoping that your information isn't snatched by criminals when they hack a web site that contains all of your account information.
At this early stage of the game, only the most forward thinking web sites have implemented OpenID. And only the true computer geeks and early adopters are using it so far. But this is likely to change before long. My guess is that in a year or two, E-mail and browser Identification Certificates and OpenID accounts will be the norm and only the most resistant to change will be without them.
Why should you consider using OpenID?: An OpenID is a way of identifying yourself no matter which web site you visit. It's like a passport or a driver's license for the entire Internet. But, it's even better than that because you can also opt to associate information with your OpenID such as your name and your e-mail address. This means that web sites that take advantage of OpenID won't be asking you for the same information over and over again. You'll also be less at risk of having your personal information misused or stolen.
OpenID greatly simplifies the web site registration and login process. With OpenID you only have to create and remember one username and one password. That's because you log into websites with your OpenID rather than an account that was created for that particular web site. Therefore, your OpenID is the only thing you have to keep secure. Now, you might already use one username and one password for every online site you have an account on, but OpenID lets you do this in a secure way. That's because you only give your password to your OpenID provider, and then your provider tells the websites you're visiting that you are who you say you are. No website other than your provider ever sees your password, so you don't have to worry about an insecure website or a man-in-the middle attack compromising your identity.
OpenID is certainly no less secure than what you use right now. It's true that if someone gets your OpenID's username and password, they can usurp your online identity. But, that's already possible and even likely if you keep doing what you're doing. Huge numbers of trusted web sites have been hacked into and compromised in 2009. And if you had an account on any of them, your identity, credit card numbers and who knows what else might already be in the hands of criminals.
Most websites offer a service to e-mail you your password (or a new password) if you've forgotten it. It is trivially easy to break into someone's account this way. It is much, much more difficult to break into your OpenID account (unless you are tricked into providing your credentials through a phishing ploy).
Regardless of whether you choose to start using OpenID or not, you should be careful about your username and password. When you type your username and password, make sure you're actually on the website you think you are (i.e., check the address). And as always, it's unwise to enter usernames and passwords if you are connected to the Internet using an "untrusted" WiFi connection unless you are positive that it is a very secure, SSL encrypted transaction. Have a look at some of our other related white papers such as DNS poisoning for more information regarding how to ensure that the site you are visiting is legit.
With OpenID am I entrusting my whole identity to one website? : Yes and no. You can certainly have multiple OpenIDs if you like. Each could contain some information about you but not everything, just in case one account is compromised. This ability might make the most paranoid Users sleep a little better. But, that spoils the simplicity of only having one username and password to have to secure. It's also very smart to get your OpenID from a website you trust, and one that you expect to stick around. I used Verisign for mine.
OpenID is still in what I would characterize as the "beta test" stage. I may revisit this white paper after a few months once OpenID goes into "production" mode. Evaluating OpenID providers would probably be premature at this time since I would expect their tools and processes to be a bit buggy and lacking reliability. So far, my experience with Verisign OpenID has been good although I did have to say a lot of magic words over Firefox to get OpenID, one-click logins and the Seatbelt plugin working properly.
Security theater versus actual security: Included in this white paper because insane security theater is commonplace in the United Kingdom. And thanks to "Global Harmoninization", will be coming to a Country near you very soon. Digital identification will help put an end to the mindless determinations made by idiots (hopefully). If nothing else, this section makes for interesting reading and provides a heads-up for what's certain to hit the USA in a year or two.
The insanity begins here - British supermarkets won't accept a British armed forces ID cards as a proof of age, but they will accept foreign ID cards that they cannot read. The student in question's French ID card was not deemed to be sufficient proof of her age for the staff at Sainsbury's Market, even though the chain does accept the card from foreign workers who wish to work in the UK. So you can use your foreign ID card to get a job at Sainsbury's but not to buy a bottle of beer. Bizarre, but predictable when we jumble up credentials and identification, absent any well-formed rules for understanding or verifying them. This is similar to the moronic situation in the USA where undocumented, illegal aliens have no problem working for employers while American Citizens are required to jump through numerous hoops to prove their identity before being hired. Portland, Oregon Police are forbidden by law to even ask drug dealing, homeless, criminal, non-White people for proof of being in the USA legally. However, if I am walking down the street, the Police have every right to ask me for identification, in spite of my Fourth Amendment Rights.
Moving along - Here's a simple UK example: you go to open bank account and the bank asks to see identity, so you show them a passport. If it is a British passport, they can phone a Home Office hotline to see if it is real, whether it has been reported stolen and so forth. If it is, say, a Bulgarian passport, they cannot possibly tell whether it is real or not, so they just photocopy it and file the copy away somewhere. Thus, if you are a criminal then you will always choose to use a Bulgarian passport. Honest citizens are inconvenienced, criminals aren't. This isn't so much security theatre as security pantomime.
The fact is, it's really, really hard for anyone to understand foreign credentials of any kind. There is an amusing story of the mystery Polish serial traffic offender being tracked by the Irish police. It was discovered that the man every member of the Irish police had been looking for - a Mr Prawo Jazdy - was actually Polish for "driving licence" and not the first and surname on the licence. Idiots...
An innocent South Tyneside man was arrested because his MoT certificate was a paler shade of green. Michael Cook, from South Shields, had gone to the Driver and Vehicle Licensing Agency (DVLA) centre in Newcastle to renew his car tax. Staff thought his two-week-old MOT certificate was a forgery because it was a lighter shade than his previous one, and the police were called.
The above examples nicely illustrate a key advantage of digital identity over physical identity. If my reader can't understand your card, that's the end of the discussion. There's a nice binary outcome. When the results depend on human interpretation of shades of grey, the "system" will always throw up crazy outcomes. Of course essential to a functional identity system is a cheap and simple "box" for checking whether the card is valid. You put your French ID card, British Forces ID card or Tesco Clubcard into the box at the checkout and the light goes green or red. That's it. Unfortunately, the currently proposed UK national identity scheme has no provision for rolling out these types of terminals. This might well make crime easier than it is today since no one will be able to tell whether a card they are presented with is real or not. Great plan, huh? :(
If there is no way to quickly and simply check whether a card is real, then it makes the situation worse, not better. And when the "National Identification card" fiasco comes to the USA, don't expect the US Congress to come up with a scheme that's any better than the UK's. And when it gets here, remember where you heard it first....
About the Author
Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.
Next in the security white paper series:
Are you vulnerable to drive-by exploits?
IT employment challenges of the 21st century
Competency Certifications White Paper
ISO/IEC 27005:2008 Standard for Security Risk Management
High value sites recent hacks
Still more 2009 hacks in the news
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
Last modified September 16, 2009
Copyright 1990-2009 Easyrider LAN Pro