Security News bulletins

DNS poisoning + (Debian's) weak HTTPS certificates

A recent security news bulletin revealed that Debian and derivative Linux operating systems have been generating extremely weak HTTPS certificates for years. As a result, OpenID relying party web sites may be vulnerable to a brute force HTTPS certificate plus DNS poisoning attack to phish users passwords and/or spoof users' identities. The mitigation for this is for the RP's OpenID implementation to check the HTTPS certificate revocation list (CRL) for added security against these weak certificates.

Since DotNetOpenId is based on the .NET platform and leverages its HTTPS security framework, all web sites that use DotNetOpenId can protect against this attack by adding this line to the hosting web site's startup code:

System.Net.ServicePointManager.CheckCertificateRevocationList = true;

Or add this to your Web.config file:

<system.net>
	<settings>
		<servicePointManager checkCertificateRevocationList="true"/>
	</settings>
</system.net>

This requires full trust in your web app, and will unfortunately not work in many shared host environments that give web apps only partial trust.

Regular security features

• Full implementation of OpenID's discovery, verification, and rediscovery requirements.
• HTTPS certificates are validated against CRL (certificate revocation list).
• XRI resolution using 100% HTTPS.
• Optional switch to require HTTPS for all discovery and authentication.
• Optional switch to disallow the now-security-broken SHA-1 association.
• SHA-384 and SHA-512 hashes in addition to the standard SHA-1 and SHA-256 for optional increased security.
• XRIs resolve to CanonicalID (i-number) claimed identifiers.
• Nonce added both for RP and OP when interoping with OpenID 1.x sites for added security otherwise only present in OpenID 2.0. This makes DotNetOpenId RPs roughly as secure when working against OpenID 1.x Providers as if it were working against 2.0 Providers. The DotNetOpenId Provider, when working against an OpenID 1.x RP, is only secure against replay attacks when support for associations is disabled so that DotNetOpenId can check the nonce during check_authentication.
• Over 250 unit tests to verify correct behavior in optimal, suboptimal and attack scenarios.
• Based on .NET platform to protect against buffer overflows and many other attack vectors already protected against as part of the platform.