Clickjacking and CSRF attacking OpenID

Convener: Andy Dale (=Andy)

Attendees: Technology Discussed/Considered: Open ID, InfoCard (briefly)  Discussion notes:
 * Steve Williams,
 * Jeff Hodges,
 * Larry Cymkin,
 * Joe Steele
 * Jon Nichols
 * Paul Bryan
 * Scott Bloomquis

Overview of CSRF & clickjacking - Clickjacking can get around CSRF nonce protections

With OpenID - this becomes much worse Mitigations
 * redirect to target site via CSRF
 * use click-jacking to have user OK on their OP site?
 * Use frame-busting code
 * Don't let GET change stuff
 * POST is still vulnerable -- but can't do that from image tag
 * Use nonces for forms (for CSRF -- Steve Williams @ Digg mentioned)
 * can do this for OP login request also (allowed by OpenID)
 * reverify at the RP before accepting auth
 * Partition session cookies by process
 * Show a dialog?
 * Show an entry page always?
 * Use HTTPS -- then Referrer header can be trusted
 * Can education fix this?

Q: Does clicking on an IFrame transmit click to frames beneath? Q: Why does browser not prevent clicking when opacity drops below some level?
 * transparent, low opacity iframes make this question moot
 * Transparent SSO is the issue -- global OP cookie is an example of this
 * The real fix is intelligent clients --- maybe a better browser?
 * If everything at RP is fixed -- you are ok
 * no XSS vulns
 * nonces for requests
 * frame-busting code
 * limited cross-domain policy
 * Mention "important security code uses Javascript" to get user to turn it on
 * supposed to mitigate vulnerabilities
 * could expose more vulnerabilities
 * what is that level?
 * what about "look alike" sites which are not opaque?

Q: What about InfoCard?
 * Charles Andres showed a UI-less clickin for InfoCard
 * Exposes same vulnerability?