We have linked to a few of the common threats OpenID poses and will talk more about them in the future. Now, I’d like to address one in particular, which has inspired this post and brought up a very important issue regarding Passpack’s support of OpenID.
Let’s have a look at the problem…
Here’s What Should Happen:
You type your OpenID into Passpack. Passpack directs you to a 3rd party – your OpenID provider. Your OpenID provider authenticates that you are who you say you are and then redirects you to the Passpack Anti-Phishing Welcome Message Page. You verify your welcome message, click on the black box and then you are asked to type your Packing Key.
Here’s What Could Happen:
(*For all intents and purposes, we will call the Provider in this example “Malicious Provider”)
You type your OpenID into Passpack. Passpack directs you to a 3rd party – your OpenID “Malicious Provider”. Your OpenID “Malicious Provider” realizes who you are and where you would like to login to – in this case Passpack. The “Malicious Provider” then redirects you to a fraudulent copy of the Passpack Anti-Phishing Welcome Message Page (so you would not see your anti-phishing message). Let’s say you somehow don’t notice that you’re missing your anti-phishing message or perhaps you have’nt set one up yet (set it up!) – so you click on the black box. Then you type in your Packing Key and in doing so you have just unknowingly given it to the “Malicious Provider”.
Always, always, always check your anti-phishing welcome message. It is there to protect you. If you do not see it immediately CHECK THE URL and make sure it is https://www.passpack.com. If either one or both of these do not match up, follow the steps on this page.
How Can This Risk Be Avoided?
First off, it’s important to emphasize that before creating an OpenID account, you should always do your research, check implemented security features, and if all this is not common practice for you – go with the brand you know.
It is probable that a single user will end up with various OpenIDs from multiple providers, some well known and some not.This is where things get tricky. With the growing number of OpenID providers, phishing scams are an immediate concern. It will become more and more difficult to understand the intentions of lesser known providers.
If you want to login to Passpack (or any site for that matter) with a lesser known OpenID provider and that provider is actually a Phisher, you can find yourself in a difficult situation. (I by no means intend to imply that lesser known providers are Phishers. This is purely an example of a possible security concern and I use the lesser known sites as a prime example only because it is more difficult to verify their credibility.)
Passpack’s Question To You
Passpack has decided to create an OpenID Whitelist (which we are still putting together). This means that we will only be accepting OpenIDs from certain providers. We know this may be an inconvenience to some of you, especially if you are using an alias OpenID, a work administered OpenID or just an OpenID that you have created for yourself.
For example, if Francesco were to try to login to Passpack with his OpenID openid.sullof.com/me, he too would be denied. So the question is:
A. Passpack recommend and accept certain OpenID providers and allow no other providers.
B. Passpack recommend and accept certain OpenID providers and any others should be used at your own risk.
C. Other suggestions?
UPDATE: Some great ideas in the comments. Keep them coming!