[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: WebID as passwordless authentication for debian web services

Simon McVittie <smcv@debian.org> writes:

> By way of context, OpenID originated on Livejournal as a way to have
> federation between blogging platforms (e.g. other sites running the
> Livejournal codebase). At the time, https was considered sufficiently
> expensive that LJ didn't even use it to secure login, let alone normal
> browsing. OpenID's original threat model was "stop people not on my
> friends list from reading what I blog about them", not "stop the US
> government from reading my secrets".

It's probably worth mentioning here that I work on authentication systems
for Stanford University, where (among other things) they have to protect
financial systems with access to multi-million-dollar accounts and the
privacy of patient data shared with the School of Medicine by the Stanford
Hospital.  So my default security analysis tries to protect against
determined, dedicated attackers going after high-value targets.

It is entirely reasonable to decide that your threat model is casual
snooping and casual attacks and the amount of overhead required to defend
against a serious attacker just isn't worth it.

The trick is to make sure that your threat profile doesn't change after
you make that decision, at least without also changing your decision.
There are parts of the Debian infrastructure that need to be robust
against high-value targets, so introduction of weaker authentication
systems (like most OAuth profiles) would require carefully tracking where
they're being used and being careful to not use them where they're not
appropriate.  One *can* do this -- we do this right now for the Mailman
admin passwords on Alioth, for example, which are certainly not a strong
authentication mechanism but which are entirely adequate for the purpose
they're being used for.  But it requires care.

There's also a tendency for attackers to find additional reasons to attack
low-value targets that weren't anticipated.  For example, LiveJournal got
much more serious about protecting account logins when attackers started
attacking LiveJournal accounts, not to read friends-locked posts or post
spam, but to inject malware that would compromise the systems of people
using LiveJournal and join them to bot nets.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: