Friday, February 16, 2007

AOL OpenIDiocy

While the subject is intentionally inflammatory, I am simply frustrated how AOL can push a specification into the limelight which makes security worse in its current form. Unfortunately, the hype and ballyhoo which has ushered in the coming of OpenID has largely excluded any intelligent discussion of the security implications outside of the email lists. Now, I'm happy to hear about the integration and use non-phishable technologies with OpenID (such as Firefox 3.0 & CardSpace), though AOL's decision to move ahead without addressing the array of concerns is rather careless. Even if AOL's intention for the service is as a proof-of-concept or a demonstration, it exposes very real credentials and resources.

To reiterate the security concerns, here's why I won't use an AOL OpenID:

1) It places too much power in the hands of a potentially dangerous website. Instead of sending me to openid.aol.com/sn, I get sent to a similar looking site. In AOL's case, this is painfully easy to pull off given the simplicity of their interface. After naively providing my credentials to the site, all of my attached resources that I consider valuable are compromised. It puts any OpenID protected resource, my AIM account/email (if I used it), and any other resource where I might reuse the same credentials at risk. Now, I don't reuse passwords between resources, but how many people do?


2) It creates OpenID's for people who don't understand OpenID. I can now create a website that offers a login page that says,

Don't have an OpenID? You do if you have an AIM account! Log in right here:


and continue with my phishing attack. Now such an attack could admittedly happen even outside of the OpenID context, but it immediately taints the (otherwise) good work that has been done in the community. Even with a non-phishing OpenID site, does the average user realize that they're revealing their screen name to the site? Not a pseudonym/unique ID, but the actual user's screen name.

3) AOL's OpenID login interface does not have human-in-the-loop verification. How many AIM accounts are used by spammers currently? How trivial is it now for that account to be "repurposed" into a blog spamming account for those sites which support OpenID? OpenID's best defense so far to such threats has been the high-cost, low-return of setting up a spammer-sponsored OpenID provider. AOL's easily automatable interface, complete with innumerable already established dubious accounts, are quite likely to overcome this problem for them and form a blog-spamming haven.

Also, consider that the OpenID mantra has been operation in full promiscuous mode. When blogs start getting spammed, are they going to block all of AOL? Individual users?

4) The concept of having a unique ID on the internet just doesn't suit me, especially when it's my AOL ID. Now, many will say that this is "tin-foil-hat land", though I think this is just as bad, if not worse than, the Intel serial number controversy. Is it really that much worse that you have people actively offering the ID to sites rather than hardware doing it for them? At least the processor offered an obscure ID number with it rather than my AOL screen name!

And, if you think for a second that the fact that you consent to the transaction is any consolation, please refer to point #2 above.

-

There are further questions about the accountability between providers and websites, the ability to preform MITM attacks, and other privacy concerns, but the 4 reasons above should be enough to invoke some critical thinking. Some of these issues are with OpenID, while others are related to AOL's implementation, though all are arguably frightening.

I am not an opponent of OpenID. After the phishing problem is handled, I think that it will be a highly useful tool for authentication to low-value resources (i.e. most of the sites on the internet), especially when you understand the risks and implications. But it's just not ready for the prime-time yet. But with AOL's decision and the hype from the Web 2.0 crowd, it's already on its way there.

I would encourage anyone considering using this technology (either as a client or a implementer), to seriously research the security implications. Even more importantly, AOL should actively offer disclaimers regarding these issues. They're too important to allow a user to fall prey to a nefarious website.

No comments: