000000248 001__ 248
000000248 005__ 20130522141948.0
000000248 037__ $$aLERSSE-PRESENTATION-2010-002
000000248 100__ $$aSan-Tsai Sun
000000248 245__ $$aOpenID Security Analysis and Evaluation
000000248 260__ $$c2010-10-21
000000248 300__ $$a24
000000248 520__ $$aOpenID is a promising user-centric Web single sign-on protocol. According to the OpenID Foundation, there are currently more than one billion OpenID-enabled user accounts provided by major service providers such as Google, Yahoo and AOL. In this presentation, I will present OpenID security analysis and the evaluation results on 200 OpenID-enabled websites. Our preliminary result shows that more than 50% of OpenID-enabled websites are vulnerable to cross-site request forgery attack (CSRF) that allow an attacker to modify the victim's account profile information directly; and 75% of evaluated websites allow an attacker to force the victim to login their websites as the attacker stealthily. With additional practical adversary capabilities (e.g., trick users to use a malicious wireless access point or install a malicious browser extension) that enable an attacker to intercept the authentication response from the identity provider, the attacker can impersonate the victim on 65% of OpenID-enabled websites and re-masquerade the victim on 6% of the websites by simply applying the intercepted authentication responses. To the end, I will demonstrate the attack vectors employed in the evaluation process and discuss our proposed countermeasure for the current OpenID-enabled websites and future OpenID specification.
000000248 6531_ $$aOpenID
000000248 6531_ $$aSecurity Analysis
000000248 6531_ $$aSecurity Evaluation
000000248 700__ $$aKonstantin Beznosov
000000248 8560_ $$fsantsais@ece.ubc.ca
000000248 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/248/files/248.pdf$$yTransfer from CDS 0.99.7
000000248 909C4 $$pSan-Tsai Sun and Konstantin Beznosov, "OpenID Security Analysis and Evaluation," presented at the OWASP Chapter Meeting, Vancouver, Canada, October 21th 2010
000000248 980__ $$aPRESENTATION