Technology news and Jobs 
Information Technology News Warning: DNS flaw spills over to OpenID
Information Technology News Warning: DNS flaw spills over to OpenID | Warning: DNS flaw spills over to OpenID |
|
| by Stephen Withers | |
| Thursday, 14 August 2008 | |
|
Page 2 of 2 Ben Laurie of Google's Applied Security team and Richard Clayton of the Cambridge University Computer Laboratory have found those certificates aren't always reliable.But surely an OpenID provider in that situation would have revoked the weak certificate? Probably - but does your web browser check whether a certificate has been revoked? It seems that for performance reasons revocation lists aren't checked as frequently as they should be from a security perspective, and a newer and more efficient mechanism called OCSP (Open Certificate Status Protocol) isn't as widely used as it would need to be. This doesn't mean OpenID is inherently flawed, just that a lot of the 'plumbing' needs to be checked and if necessary fixed. Should you be worried? Probably not, if like many people your OpenID is only used to make it easy to post comments on other peoples' blogs, and you don't use it anywhere that 'value' or private information is involved. In any case, Laurie and Clayton only identified three providers that had used weak certificates. Nevertheless, it would be wise to check whether your OpenID provider has ever used an weak certificate. The moral of the story is that there are some smart people out there who are remarkably good at connecting the dots. We're lucky that more of them don't use their powers for evil purposes.
Get stories like this delivered daily - FREE - subscribe now
|
Tags
| < Next story in category | Previous story in the category > |
|---|
