Clickjacking and CSRF attacking OpenID

Convener: Andy Dale (=Andy)

Attendees:

• Steve Williams,
• Jeff Hodges,
• Larry Cymkin,
• Joe Steele
• Jon Nichols
• Paul Bryan
• Scott Bloomquis

Technology Discussed/Considered: Open ID, InfoCard (briefly) Discussion notes:

Overview of CSRF & clickjacking - Clickjacking can get around CSRF nonce protections

With OpenID - this becomes much worse

• redirect to target site via CSRF
• use click-jacking to have user OK on their OP site?

Mitigations

• Use frame-busting code
• Don't let GET change stuff
  • POST is still vulnerable -- but can't do that from image tag
• Use nonces for forms (for CSRF -- Steve Williams @ Digg mentioned)
  • can do this for OP login request also (allowed by OpenID)
  • reverify at the RP before accepting auth
• Partition session cookies by process
• Show a dialog?
• Show an entry page always?
• Use HTTPS -- then Referrer header can be trusted
• Can education fix this?

Q: Does clicking on an IFrame transmit click to frames beneath?

• transparent, low opacity iframes make this question moot

• Transparent SSO is the issue -- global OP cookie is an example of this

• The real fix is intelligent clients --- maybe a better browser?

• If everything at RP is fixed -- you are ok
  • no XSS vulns
  • nonces for requests
  • frame-busting code
  • limited cross-domain policy

• Mention "important security code uses Javascript" to get user to turn it on
  • supposed to mitigate vulnerabilities
  • could expose more vulnerabilities

Q: Why does browser not prevent clicking when opacity drops below some level?

• what is that level?
• what about "look alike" sites which are not opaque?

Q: What about InfoCard?

• Charles Andres showed a UI-less clickin for InfoCard
• Exposes same vulnerability?