Question

everyone! I have a question that I cannot understand while I study for the CISSP.

The question to ask is:

What risk does letting the OpenlD dependent party manage the connection to the OpenlD provider introduce?

My response is:

The usename and password of the client might be taken by the relying party.

I believe that in order for the relying party to obtain the user ID and password, the user ID and password must be sent to the openID provider. The actual response is:

By transmitting information to a phoney OpenlD provider, it raises the chance of a phishing attack.

I don't see the distinction between phishing and password theft or why one would pick phishing.

Anyone able to offer me some advice? Thanks!

Answer 1

Both phishing and password theft are security risks associated with letting a third-party manage the connection to an OpenID provider. However, they are distinct threats with different mechanisms and implications.

Phishing is a social engineering attack where an attacker pretends to be a legitimate entity (such as an OpenID provider) to trick a user into disclosing sensitive information (such as login credentials). In the context of OpenID, a phishing attack may involve the relying party redirecting the user to a fake OpenID provider login page that looks like the real thing, but is actually controlled by the attacker. The user may then enter their OpenID credentials into the fake login page, which are then captured by the attacker.

On the other hand, password theft is a form of cyber attack where an attacker gains unauthorized access to stored passwords on a system or network. In the context of OpenID, a relying party that manages the connection to an OpenID provider could potentially store user credentials (such as username and password) on their system. If this information is not properly secured, it could be stolen by an attacker who gains access to the relying party's systems.

In summary, both phishing and password theft are risks associated with letting a third-party manage the connection to an OpenID provider. However, phishing is a social engineering attack that involves tricking users into revealing their credentials, while password theft is a technical attack that involves stealing stored credentials. It's important to be aware of both risks and take appropriate measures to mitigate them.