Warning: DNS flaw spills over to OpenID

Stephen Withers
Thursday, 14 August 2008 10:55

Business IT - Networking

OpenID sounds like a great idea - essentially single-sign on for multiple web sites or web applications, without participating sites having to see your credentials. But is it trustworthy and safe in the light of recent revelations concerning a flaw on the DNS system on which it relies?

OpenID lets you use one identity across many sites and was intended to make life easier for Internet users that have signed up at a whole list of sites.

It achieves this by letting you to use one name and password for all OpenID-enabled sites, so there's less for you to remember. OpenID has gained broad support from big-name companies including AOL, Google, Microsoft, MySpace, Sun, Wordpress and Yahoo!. Thousands of (predominantly small) sites allow users to log in with an OpenID.

Because the sites don't store those credentials - not even in an encrypted form - a breach at one won't compromise your security at the others as it would if you merely used the same name and password on multiple sites.

So how does the DNS flaw impact OpenID?

Sun corporate architect Robin Wilton has pointed out that OpenID relies on the integrity of the DNS system to connect OpenID-enabled sites with the OpenIdentity provider used by a visitor.

A successful DNS cache poisoning exploit would allow an attacker to divert traffic intended for an OpenID provider to a malicious server, allowing the capture of credentials.

OK, you say, but I'm using HTTPS and I check site certificates, so I'm safe.

Umm, maybe not. Find out why on page two.