2012 Oct 1, 6:33
According to the links within this article, although the root URI of the router requires authentication, the /password.cgi URI doesn’t and the resulting returned HTML contains (but does not
display) the plaintext of the password, as well as an HTML FORM to modify the password that is exploitable by CSRF.
The attack… infected more than 4.5 million DSL modems… The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log
in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to
booby-trapped imposter sites.
technical security html router web dns csrf 2011 Nov 14, 7:51
Includes ‘511 Network Authentication Required’ for airport/hotel/coffee shop scenarios! Am I too excited about this?
technical ietf http http-status-codes 2010 Oct 4, 2:05Proposed 428 HTTP error code for hijacking proxies to indicate to the client the user needs to login to the network etc. Glad to see this one's finally happening.
http http-status captive-portal hijack proxy authentication technical rfc reference 2009 Nov 30, 6:31"At Mozilla Labs, we’ve been working on some potential integrations of identity directly into the browser. Note, this is an extremely rough draft." Looks pretty!
firefox browser identity web mozilla security authentication openid 2009 Nov 23, 11:28"Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over
90%...In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable
citizens to sign in more easily to government-operated websites."
identity openid google security authentication facebook password via:connolly technical 2009 Apr 29, 12:34"In this presentation, recorded at QCon San Francisco 2008, HTTPbis WG chair Mark Nottingham gives an update on the current status of the HTTP protocol in the wild, and the ongoing work to clarify
the HTTP specification."
http httpbis protocol ietf reference video authentication cookie uri url tcp sctp mark-nottingham via:ericlaw 2009 Apr 20, 3:37Web service that hosts avatar images for things like blog comments. The image is ID'ed by a hash of the user's email address. Auto generated or if the user signs up, the image can be whatever they
upload. Lots of plugins for different blogging platforms.
blog web photo avatar image authentication identity icon hash 2009 Jan 22, 9:48"Revocation presents another challenge. If a system relies only on a biometric for both identity and authentication, how do you revoke that factor? Forgotten passwords can be changed; lost smartcards
can be revoked and replaced. How do you revoke a finger?"
article microsoft security identity authentication biometrics 2008 Apr 24, 9:41This is a CAPTCHA in which you must id the center of subimages in a collage and then choose the correct caption for a second a photo. It took me seven tries to click close enough to the center of a
subimage. I'm human I swear! Lame implementation.
captcha image security 2008 Apr 7, 2:55"The PHP OpenID library lets you enable OpenID authentication on sites built using PHP."
php openid development opensource identity authentication api software server library 2007 Nov 28, 4:43How to use FOAF and OpenID together and how DIG used that as a basis for commenting on their blog.
foaf openid authentication identity rdf semanticweb trust web spam 2007 Mar 19, 3:13Documentation on setting up SSH to use keys.
security ssh howto key publickey putty 2007 Mar 13, 3:54A blog article on creating group OpenIDs.
openid authentication group privacy blog article 2007 Mar 13, 3:53A service that provides anonymous OpenIDs with no authentication.
anonymous authentication openid identity privacy 2007 Mar 13, 3:53The OpenID Specification
openid authentication specification security 2007 Mar 13, 2:08OpenID is an open identification system for the Internet in which anyone can participate.
authentication identity openid security specification privacy 2007 Mar 13, 7:57I had a few thoughts after reading about
OpenID. However, after doing only a very small amount of digging I can see these aren't new thoughts.
-
Anonymous OpenID
-
Have an OpenID that anyone can use because it performs no authorization. You'd specify a URI like http://deletethis.net/anonymousopenid/yournamehere and you'd immediately get an anonymous OpenID
associated with that URI. This has already been implemented by Jayant Gandhi.
-
Group OpenID
-
Have an OpenID that consists of a group of member OpenIDs. To login as the Group OpenID you need to login with any of the member OpenIDs. This is discussed more by Dmitry Shechtman on his blog.
-
OpenID Normalization
-
I find that I already have a couple of OpenIDs without even trying due to AOL giving out OpenIDs. I'd like for all of my
OpenIDs to point to one canonical OpenID. It looks like this may already be possible by the OpenID
specification.
I guess I'm a little late to the scene.
technical stolen-thoughts openid