Daily Archives: February 22, 2007

internet, security

How secure is OpenID?

2 Comments

Everybody is talking about OpenID. Big players are adopting it. But should you trust it for things that matter – financial transactions, for example?

Here’s an important post from Microsoft’s identity architect Kim Cameron:

So let’s think about this.  Where is the root of trust?  In conventional systems like PKI or SAML or Kerberos, the root of trust is the identity provider.  I trust the identity provider to say something about the subject.  How do I know I’m hearing from the legitimate identity provider?  I have some kind of cryptographic key.  The relevant key distribution has a cost – such as that involved in obtaining or issuing public key certificates, or registering with a Key Distribution Center.

But in OpenID, the root of trust is the OpenID URL itself.  What you see is what you get.  In the example above, I trust Francis’ web page since it represents his thinking and is under his control.  His web page delegates to his OpenID identity provider (OP) through the link mechanism in (5).  Because of that, I trust his identity provider to speak on behalf of his web page.  How do I know I am looking at his web page or talking to his identity provider?  By calling them up on DNS.

I’m delving into the details here because I think this is what gives OpenID its legs.  It is as strong, and as weak, as DNS.  In other words, it is great for transactions that won’t attract criminal attack, and terrible for those that will.

And here’s Cameron’s conclusion:

OpenID cannot replace crypto-based approaches in which there are trusted authorities rather than trusted web pages.  But it can add a whole new dimension, and bring the “long tail” of web sites into the identity fabric.

Note that Cameron is not opposed to OpenID. Apart from anything else, he recognizes that this may well be the beginning of an identity revolution – part of a process, at the end of which we get a safer, less spam laden, less criminal-infested internet.

At the same time, he’s right. The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.

Now, it strikes me that you can largely fix this by requiring SSL connections. In other words, have the OpenID URL be an https:// URL, and have the relying party (the website where you want to log in) check for a valid SSL certificate. Note thought that SSL must be used at every stage. OpenID lets you use your own URL as the identifier, but redirect to another OpenID identity provider. Both URLs must use SSL to maintain integrity.

Another idea is to use an OpenID for non-critical logins, however you define those.

Note that this issue is different from the phishing risk, for which CardSpace strikes me as a good solution.

 

internet, security, web authoring

Rasmus Lerdorf on security, hormones and PHP

3 Comments

PHP inventor Rasmus Lerdorf spoke yesterday at the Future of Web Apps conference in London. It was the highlight of the conference: at once funny, insightful, techie and thought-provoking.

“I had no intention of writing a language”, he told us. “I hate programming with a passion. It’s boring. It’s tedious. It’s hard. I love solving problems. You endure the pain to get to the end destination.”

In case there are any non-geeks reading, I should explain that PHP is the most popular server-side programming language on the Web. This blog is driven by a PHP application called WordPress. PHP is also free, and one of the big successes of open source.

Lerdorf related the history of PHP, which originally stood for “Personal Home Page tools”. They were little scripts he wrote for his own home page, “my own little hack to reuse the C code I had written”. He then shared his work with friends. He showed us some code samples. Here is PHP in 1994:

<!--getenv HTTP_USER_AGENT--> 
<!--ifsubstr $exec_result Mozilla--> 
Hey, you are using Netscape!<p> 
<!--endif-->

By 1995 PHP looked more like what we would recognize at PHP. By 2007 it has sprouted all sorts of modern object-oriented features and Lerdorf noted that while he understood the importance of these, it has somewhat moved away from its original intent as a quick and dirty tool.

Lerdorf made PHP a completely open source project in 1997. He was fed up with maintaining scripts for other people and realised that he could not do it alone. “No one person can possibly learn 20 different database APIs”. So he contacted all the people who had made suggestions to him, gave them access to PHP’s source on CVS (a source code management system), and relinquished control.

This was the lead-in to some reflections on why people bother to contribute to open source software. Lerdorf gives 4 reasons:

  1. Self-interest
  2. Self-expression
  3. Hormones
  4. Improve the world

The last of these is, in his view, the least important. But why hormones? His theory is that open source is one way geeks get human interaction, despite preferring keyboards and screens to going out and meeting people. It follows that factors like recognition (within their circle) and a sense of ownership are critical to successful open source projects, or even to any form of user-generated content. “You have to think about how people feel about themselves”, says Lerdorf. In fact, his comments chimed nicely with what Kevn Rose said about Digg.

Performance and security

Next, Lerdorf addressed the two major hurdles facing web applications. He is a strong believer in performance as a feature. “Unless you can make it work, there’s no point.” He dived into a couple of profiling tools to make his point, showing how to identify bottlenecks in PHP applications.

Security on the web is awful – I fully take the blame

Then security. “Security on the web today is awful. I know a lot of people blame PHP for that … I fully take the blame for some of it, but not all of it.”

What could he have done? Well, PHP does not spoonfeed security; Microsoft’s ASP.NET is actually better in that respect (my comment, not his). It could be more secure by design. On the other hand, as Lerdorf notes, “there was no such thing as cross-site scripting in 1995”. He gave us a great explanation of how cross-site scripting works; it is not the easiest thing to explain. PHP 5.2 has a new filter function for making user-input safe.

How to be safe on the web? “You can never click on a link. Sorry. Unless you understand everything in that link, and some of them are huge. You can never be sure that it is safe….most people are really easy to trick.”

Finally, Lerdorf gave us a few general comments on future directions, the possibilities opened up by geocoding in Flickr, for example. He says don’t make new portals, “We have enough portals out there.” Use the APIs published by major sites, and finally – make it fast.

Technorati tags: , , , , , ,

internet, software development, web authoring

More Future of Web Apps hits and misses

The Carson Future of Web Apps London conference is over; here are my quick reflections on day two.

Adobe covers old ground

Adobe’s Mark Anders (formerly at Microsoft and much invoved in ASP.NET) spoke about Flex and Apollo, explaining how FlexBuilder and MXML form a developer-firendly way to compile Flash binaries; this is familiar ground for me and I was disappointed that he didn’t go into more depth, expecially considering that we had a similar talk from Andrew Shorten at this event last year. Still, there were some interesting performance comparisons showing off the JIT compiler in Flash 9.0 – it is much faster for ActionScript, as I’ve confirmed with my own tests.

Chris Wilson on IE

Microsoft’s Chris Wilson (co-author of the first NCSA Mosaic for Windows) spoke on IE7; his talk was billed as “The Future of the Browser” but it was not about that, it was more of an apologia concerning why IE was frozen for 5 years between IE 6.0 and IE 7.0 (I think it is worse than that, since IE 6.0 was not really a major advance on 5.0). He gave three main reasons: in 2001 few people were building browser-based rich web apps so there seemed little point investing in the technology; in 2002 Microsoft’s security push drained resources; and complacency from lack of competition. Wilson assured us of Microsoft’s commitment to standards, reminded us of compatibility issues (“don’t break the web”), and said that we can expect better standard support, improved user experience, and further security features in future versions of IE. A good bridge-building talk.

I caught Chris Wilson afterwards and explained my disappointment with Outlook’s use of the IE7 RSS platform, which is a botch (see here for why). I’ve asked several others at Microsoft this same question and received mumbled answers and promises to follow up that have not materialized. Wilson by contrast says he is aware of the problem and that many of Microsoft’s employees are complaining about it as well; he’s turned off RSS sync in Outlook 2007 himself, for exactly this reason. He says it will be fixed somehow but gave no clues as to when; at worst it could be the next version of Office.

I also asked when we can expect IE8. Wilson says it will be no later than two years from the release of IE7, but probably close to that. IE is no longer tied to major releases of Windows itself.

Design challenges at the New York TImes

Khoi Vinh is Design Director at NTTimes.com and gave us some great insights into the problem of maintaining strong design when content is changing rapidly. In essence, he said that tools cannot keep pace with real-time, forcing compromise. He also spoke about how changing media means many-to-many interaction (not 1-to-many), and how user interface design should risk offending experts, by going for ease of use with perhaps some compromises on advanced features, rather than offending novices with UIs they cannot make sense of. Excellent talk.

The promise of OpenID

Simon Willison gave an animated talk on the future of OpenID, enthusing about the benefits of single sign-on. This was mostly a great presentation, pitched at the right level with examples, and honest about the risks and pitfalls as well as the advantages. He mentioned how Microsoft’ s CardSpace helps solve the phishing problem, by moving the authentication UI into the browser, but mistakenly said this is a feature of Vista – it is not, it is a feature of .NET Framework 3.0 and available for Windows XP. (I spoke later to Chris Wilson about this, who hinted that progress in implementing CardSpace for other browsers such as FireFox and Safari is well advanced). I particularly liked the way Willison brought out some potential future benefits from a well-supported Internet identity standard, such as networks of trust enabling whitelists to combat problems like comment spam.

Google, Vodafone disappointments

After three strong presentations in a row I was feeling upbeat about this conference, but sadly it took a dive. Carson had decided to experiment with user-generated content, giving attendees the chance to put forward their own presentations; attendees voted on which ones they would like to see, and the top three got 15 minutes each. Good idea, but didn’t work well in this instance for several reasons – lack of presentation skills, not enough participation, perhaps none of the submissions was really strong enough.

Jonathan Rochelle from Google spoke on “How web built Google Docs & Spreadsheets”. I had been looking forward to this session, but it was a big disappointment, very high-level with no real insight into how the application was put together. Rochelle is too much a company man and gave little away. Then Daniel Applequist from Vodafone spoke on the mobile internet, observing that there are 1000 million XHTML-capable mobile phones versus a mere 150 million wi-fi equipped laptops. Unfortunately Applequist didn’t succeed in enthusing the conference, perhaps the mid-afternoon timing was to blame.

Great PHP talk and closing words

It was worth hanging on for Rasmus Lerdorf’s presentation on PHP. This was outstanding and I am going to post separately about it. In part this may be because I had not heard him speak before; but I really enjoyed this talk.

This post is already too long, and I’ve already posted about NetVibes, so I will close by just mentioning the entertaining Moo session from Richard Moross and Stefan Maddalinski. They love the UK’s Royal Mail.

Thanks to Carson for a thought-provoking couple of days – but please make the wi-fi work properly next time!