SuperSatellite

Secure OpenID with MyVidoop

// January 30th, 2008 // 1 Comment » // Scripts, Web

The other day I started talking a little bit about my experiments with OpenID, a new, portable, and universal authentication scheme for web sites. I’ve been continuing this since then, and have some newer information I want to share with you. Originally, one of my primary concerns was that of security. For general purpose use, I mentioned that MyOpenID.com seemed to be an all right solution. It is. The problem was that there were still holes that seemed ripe for exploiting since it was still password based, and required nothing special to get into beyond that. But, a site called MyVidoop.com (who comes up with these names?) really raised the bar in my opinion (click here to get an OpenID from them). At the end of this blog, there will be a couple white sheets you can download that will have more information on what I’m about to share. So, if you don’t think I tell you what you want to know (girls tell me that all the time), look there. There’s also a short video about how OpenID works.

MyVidoop appears to have been created with the idea of securing OpenID as priority number one (well, making money was probably number one, but security a close second!). And next to MyOpenID, they blow them away. Some of you might be familiar with the kitten captcha. This clever system suggested using image identification as a captcha method in place of current text obfuscation techniques which are constantly being broken. That introduced the need for human level cognition to process the form, eliminating most bots from the equation. MyVidoop used this style of technique with regard to authentication. Instead of a static password you type in each time, you identify 3-5 image groups when you set up your account, then when you log in, you select images from a grid that match your groups. This is connected to a pass key (each image has a letter associated with it) which is never the same twice since the grid, images, and letters tied to them change on each log in. The only static information used in the process is the categories of images, and only you know them. Thanks to other steps, there is no effective way for a bot to glean that information or put it to use.

It’s rather clever, because it inherently defeats two account cracking methods: brute force and keystroke logging. Since the login key is never the same twice, a compromised key does no good. Since it is random each time, there’s no way to brute it effectively. But what about phishing? This is where it gets interesting. MyVidoop has created a token based system for security. If I go to a site to register, MyVidoop will ask me about the computer I am at. It will send a token, either to a predefined email address, or even as a text or voice message to my cell phone! And yes, it’s immediate. You must have this 6 digit token to even be allowed to see the image grid. This makes phishing nigh impossible since tokens only come to you. It’s also a level of security unheard of with other sites. Even my bank doesn’t personally check with me about a login. Once you have entered the token, you can have it remember the computer for the future (such as a home system or laptop you use frequently) so that you aren’t getting tokens at every single login with a computer you trust. Likewise, there is no way to provide an effective man-in-the-middle attack, because a token is good only once, and you need a human component to decrypt categories, assuming you bypassed the token and were able to capture a grid. This login information never leaves an OpenID provider, regardless of who it is. It’s similar to LDAP in that all the web site gets back from the provider is a yes or a no with regards to if a person is who they say they are (along with information they require, like an email address, which you say is okay for them to have). At no point are login credentials handled by the originating site.

All in all, this seems quite effective at preventing an ID from being lifted. To emphasize OpenID’s portability, I’ve already changed my server and delegate to point away from MyOpenID to MyVidoop by changing the code in the header of my website (WordPress has a handy plugin for this called WP-Yadis). I would speculate that eventually, other providers will follow suit to try and keep up. At the moment though, MyVidoop is the only company offering this level of security for your ID.

Like other services, it supports useful features like multiple profiles, and also ID forwarding. Unlike others, they have an affiliate program that will pay you to get others to sign up. That situation is very win-win. They are funded through companies like SmartUSA.com, and have mentioned selling images spots like ads, so Pepsi might show up in the beverages category, or Cessna in airplanes, Fend in musical instruments, etc. Besides funding the site, they pass that back to affiliates (and thank you for that).

Lastly, consider a comparison. Assume that you get an email from a phisher that tricks you into going to their site to log in (tsk, tsk, you should be ashamed for not catching that!). In scenario one, you are using MyOpenID. You go in, and they load up the login screen with a wrapper that logs your password (you did check the URI (Uniform Resource Identifier) of the page you are on, right?). Like any site that requires a static log in, they can lift and reuse your credentials. It’s not so much a fault of OpenID as it is static logins, but it can be worse since OpenID allows access to so much. One password later and you’re compromised. With MyVidoop, first it asks for the token. That gets sent only to you, so the phisher can’t intercept it. Once you use it, it’s done, so if the token is logged, it can’t be used again. You are shown a screen next, with an image grid. You enter the letters matching your image categories. The letters have a random association, so it can’t determine what the connection to images is, and that key is also only good once, so the phisher can’t reuse it. Even if they capture the grid, human intervention is required to figure out what categories you might be using. These scams usually rely on automated bot systems, so stopping to physically check each grid isn’t cost effective (this would also hold true for trying to do it with a Turk, in theory, if enough people do it). Even if they got the categories, step one, the token, will prevent them from getting to the grid in the future.

To be fair, other services like MyOpenID, do offer an option to use an SSL certificate to log yourself in, which is much better than passwords, but it isn’t the default mechanism and you must dig it out of the Account Settings area to enable it.  It’s also only really useful with computers that you use regularly since the certificate must be installed on the machine.  What I would like to see, is someone attach OpenID login to one of the PayPal/Verisign style RSA keyfobs.

You’ll notice on the right you can now log in directly with OpenID on this site, and there’s a link there to go get an OpenID from MyVidoop. If you want to get started in OpenID, I’m not sure there’s a better place at the moment. Video and PDFs below.

Vidoop Secure White Paper
Sweet Security, Free for Your Websit

Getting into OpenID

// January 23rd, 2008 // No Comments » // Web

I spent last night doing some research that I believe to be worth sharing for those interested in the subject. In an effort to improve flexibility of this blog, as the announcement above mentions (at least at the time this was written), I now support OpenID. OpenID is a neat new technology that serves as a universal login among sites that support it. Believe it or not, that is more and more places: AOL, LiveJournal, WordPress.com, and Technorati – they all are currently OpenID providers. That is to say if you have an account with them, you already have an OpenID you can use elsewhere.  It will help streamline things like leaving comments on my blogs, because you can login without actually needing an account, so no need to fill in multiple fields over and over for anonymous comments.

So anyway, what’s this all about? Well, with us doing more and more online these days, it gets very cumbersome memorizing dozens of logins. With OpenID, a site you wish to log in to can quickly check your identity and grant you access, bypassing all the normal registration steps by retrieving a standard data set from your delegate. Yes, there is obviously a risk here. If someone got your OpenID account, they could get access to your sites. But, it’s 100% portable, so if that happened, you could always switch to a new ID (this works especially well if your ID is your own URI (Uniform Resource Identifier), like www.yourname.com).  Also, you can use it for non-sensitive things, like forums, where all you really want is a login and password to ask a question or such. In that case, if the ID got hijacked, no actual personal data lost.  The concept is a very neat one to say the least, and it’s gaining a lot of momentum too (the next version of Drupal is including it in its core, and there are addons for most popular CMS (Content Management System), such as WordPress).

It’s certainly worth trying out. You can start an OpenID with lots of sites. I used MyOpenID.com, but there are others like ClaimID, myID.net, or VeriSign’s Personal Identity Provider. Their sole purpose is to manage an identity, and provide a place to authenticate it.  The ID is basically a URI, something in the form of yourname.myopenid.com.  MyOpenID was good for me because I quickly found documentation on how to use it, and it allows you to set up multiple personas, so that when you log into a site the first time, you can essentially choose what and how much information to let them see. The best primer I found was over at Sam Ruby’s blog, where he goes into the basics of how to set up your open ID, and also how to use your own URI as one.  Absolutely worth reading.  Let me repeat, absolutely worth reading.  He’s lined out nearly everything you need to know in order to get started.

If you are running your own site, it’s easy to let them managed the login. For instance, sign up with MyOpenID. Then in the template for your site, add this code to the header:

Just swap out “name” for your actual account name. That’s it. What will happen when you go to an OpenID enable site (like mine), you’ll punch in your site’s URI as your OpenID. The site you’re at will hit yours and look up the server and delegate, which will redirect you to their login page. Pop in your password and it will send whatever dataset you want to the original site for registration, and then pop you back over there. Sounds complex, but really very simple.  If you’re at LiveJournal or something like that and don’t have your own actual hosted site, when you go to an OpenID enabled site, you just type in your LiveJournal address, and it will authenticate you, no extra steps even necessary.

Even better, if you want to be a true master of your own domain, Sam goes on to describe how to create your own OpenID server and delegate for yourself using phpMyID.  phpMyID is a single user environment designed for individuals to use their own host to manage their ID.  Basically it puts you in total control.  If you choose to try it out (remember, OpenIDs are portable, so if you don’t like it, you can easily switch to one of the hosted solutions just by changing the server and delegate href in your header), Sam has some more updated instructions for it.  The only problem I have is that you then lack some of the neat features other professional providers are offering, like the personas.  It just comes down to how paranoid you want to be.  But be prepared for hiccups when installing phpMyID.  Particularly, make sure openid.server and openid.delegate hrefs include their trailing slashes, otherwise you’ll get wacky errors with no feedback as to why (and I can’t recall the name of the function now… It had something to do with “naive_”….something or other).

My big concern at this time is security.  I’m not entirely sure what prevents a potentially nefarious site from playing a monkey in the middle, and sniffing out your information.  Although running your own ID server and paying attention to where you’re signing on at would go a long way towards preventing that.  And regardless, I am already finding mine handy for the simple purpose of leaving comments on friends’ blogs who are on networks where I don’t have an account.  That alone is a big advantage and not exactly a security risk to me.  I hate going through the hassle of signing up for accounts I’ll never use beyound commenting or such, so this sells itself well.

Yahoo, MSN, Google, and lots of other sources are playing with it to in different ways.  So this is far from some wacky, half-cocked new technology.  It’s sort of like Microsoft’s Passport system, except way more powerful.  Go give it a good once over, it might come in handy.

Security Through Obscurity

// December 27th, 2007 // No Comments » // Life and Times, Travel

Before I get to actually talking about the trip proper that I took, I want to take a post to do my customary travel diatribe.  I did this last year after a conference too, so you can consider this part two.

First off, I want to explain my discontent for Midwest airlines, when they turned a well timed, direct flight between MCI and TPA into a late night flight, with a layover in friggin’ Milwaukee. This discontent is only mildly offset by the fact that they serve actual, warm, homemade-ish cookies on their flights.  2 flights = 4 cookies.  But, I’m still pissed about the logistical changes, which required me to get a hotel after getting into Kansas City, because after the long day, I wasn’t about to tack on two and a half hours of driving at midnight on to it.

Furthermore, when I show up at your check in area, don’t make me stand there for half an hour until I get lucky and someone from Midwest happens to stroll by and notice that no one is attending to the check in terminals.  That is simply inexcusable.  At the very least put up a sign or something that says “Gone fishin’, sod off.” At least then I have an idea of what’s going on.

Travel security is becoming such a mockery of itself that I’m surprised people even take it seriously anymore.  Frankly, when people can purchase substantially dangerous plastic/fiberglass based knives, an old man next to me with a pocket knife simply isn’t that threatening.  In fact, given the attitude many TSA guys have, none of the given security measures gives me much comfort.  Yelling at people that they better drink up any water or pop they have doesn’t secure a plane, it makes the guy look like an asshole (and in all fairness, he was really being a jerk).   And could someone explain the logic behind having to pull out electronics larger than your palm to have them scanned separately?  Is a Blackberry or iPod simply less dangerous than a laptop?  Could a terrorist not use a smaller device for their sinister needs?  I would think by now they have seen enough laptops that pulling mine out shouldn’t be a big deal.

Now let’s talk about ID.  I experienced this both at the port and airport.  They check ID’s more than anyone should see logically necessary.  If you check my ID, then send me down a sealed hallway, what is the sense in checking it again at the other end.  Are you afraid someone might try to burrow through the wall and inject themselves into the flow without being noticed?  Likewise, if I can literally turn around and spit and the last person who checked my ID and boarding pass, you might want to consider if you’re aren’t being a little overkill.  I’m pretty damn sure a person can’t magically appear in the middle of the X-ray machine line without a boarding pass when they’ve already gone through two other checkpoints looking for the same thing.  Nor would they want to.

And I just feel bad for senior citizens.  When you are drawing AARP benefits, I think you should earn a pass on most all security checks.  Grandma Mabel in her wheelchair with an oxygen tank probably isn’t a drug mule or terrorist insurgent.  And even if they were, screw it, I’m happy to yield to their 65+ years on this planet and give more power to ‘em.  I think they have earned and deserve that dignity.  Anything less just shows blatant ignorance.

Oddly enough, coming through Customs was unusually painless.  Compared to airport security, I could have been hauling pure cut cocaine with my nose a bright, snowy white, and they wouldn’t have even bothered looking in my bags to check.  Though I did declare some snacks I got on the bus in Mexico, and he asked me what it was, and took my word for it.  That was good, because while I mentioned the chips and cupcake, I totally forgot to mention the crackers.  They might have held that against me.