Support (#3) - Request ID tracking (#2) - Message List
Today I was investigating the A-Select authentication process. Since OpenASelect is very similar, I suspect the same will apply for this project.
My question is if applications implementing A-Select authentication should track the request IDs (rid-s) handed out by the A-Select server. I don't see this mentioned anywhere, but as far as my knowledge reaches, without rid tracking the application is vulnerable to a man-in-the-middle attack (unless additional signing is applied). A third party could easily set up an authentication request, with a redirect URL back to itself. This third party can then proxy the credentials to the 'real' application. If the real application isn't sure if the rid has been given out to that application or instead to some third party, and the application accepts the request, the MITM attack will be successful.
-
Message #1
We recommend enabling request signing (signing_enabled) for production environments, so that a third party cannot send requests on behalf of another application. If request signing is disabled, it is indeed the application's responsibility to verify that it (and not some third party) has started the authentication process.
Note that, contrary to A-Select 1.x, the application ID is not visible to the user anymore. The application ID should only be known to OpenASelect and to the application itself. That means it is not so easy to set up an authentication request, because the third party would have to guess the correct application ID first.
We are working on a guide explaining how to use OpenASelect's services in detail. The guide will contain a set of security recommendations and considerations, including the above one.
OpenASelect Team07/17/08 12:20:53