diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

Slipshod cryptographic housekeeping left OpenID open to abuse

Aug132008

Slipshod cryptographic housekeeping left OpenID open to abuse

Slipshod cryptographic housekeeping left some OpenID services far less secure than they ought to be. OpenID is a shared identity service that enables users to eliminate the need for punters to create separate IDs and logins for websites that support the service. A growing number of around 9,000 websites support the decentralised service, which offers a a URL-based system for single sign-on.

Security researchers discovered the websites run by three OpenID providers – including Sun Microsystems – used SSL certificates with weak crypto keys. Instead of being generated from billions of possibilities, the keys came from a a set of just 32,768 options, due to a flaw in the random number generation routines used by Debian. The bug, which has been dormant on systems for 18 months, was discovered and corrected back in May.

Full Article

Share This Story, Choose Your Platform!