Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation from Zed A. Shaw on 2011-01-09 (ietf-http-wg@w3.org from January to March 2011)

From: Zed A. Shaw <zedshaw@zedshaw.com>
Date: Sun, 9 Jan 2011 10:32:37 -0800
To: Ben Laurie <benl@google.com>
Cc: Blaine Cook <romeda@gmail.com>, Phillip Hallam-Baker <hallam@gmail.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, David Morris <dwm@xpasc.com>, websec <websec@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20110109183236.GZ12542@zedshaw>

On Sun, Jan 09, 2011 at 01:44:12PM +0000, Ben Laurie wrote:
> > for the record, I don't think that OAuth itself is a suitable
> > replacement for HTTP authorisation, but wanted to stir the pot,
> > especially away from overwrought technical solutions that don't
> > actually solve anyone's needs.
> 
> Towards ones that are ripe for phishing and have no privacy
> protections? I don't believe that's a good direction.

Ripe for phishing?  I must have missed a whole conversation in all this
cross posting, because last I checked none of the proposed solutions
prevent phishing.

If you can phish one site you can phish another.  It's not the sites or
the protocol that causes phishing, or whether you've got a billion
redirects or diffie-helman to the hilt.  OpenID or Oauth or
plain-old-form-auth don't prevent or cause phishing.

What causes phishing is users have no idea that two websites are
different.  As proof of this, I present to you the ReadWriteWeb/Facebook
Login fiasco:

http://www.readwriteweb.com/archives/facebook_wants_to_be_your_one_true_login.php

This article became the #1 search result for "facebook login" for a
short period of time on google.

Not only did the users not realize RWW was *not* the facebook login, but
they created accounts, logged in, and then complained that they didn't
like the new facebook in the article comments.  Yes, they thought RWW
was the new facebook.  They are totally different websites, with
different designs and purposes, yet people had no idea.

You may say that's a small sample, but this was done unintentionally.
RWW didn't even try to change their site.  A determined attacker can go
much much farther than just this with a purposeful design that mimics
the facebook login.

And, this was people *logging in* to facebook, effectively using their
direct login (which is also the connect login).  That shows right there
they have no idea where they're logging in to what, and that OpenID,
OAuth, or any auth system doesn't help them.

-- 
Zed A. Shaw
http://zedshaw.com/

Received on Sunday, 9 January 2011 18:33:05 UTC