from Hacker News

Open Letter from the OpenID Foundation to Apple Regarding Sign in with Apple

by julian37 on 6/29/19, 5:56 AM with 137 comments

  • by motohagiography on 6/29/19, 12:56 PM

    Between lack of a a nonce and an asserted exposure to code injection and replay attacks, the issues in the letter imply a week of vulnerability research could yield a complete takedown of the product - which would suck because an Apple sign-in experience using their TEE is really valuable.

    I could see someone making the choice where they would elect not to manage a nonce because its permuting effect was achieved by other parts of the protocol. Apple also has keys in a TEE, and a nonce generated and synchronized outside of that could have been interpreted as creating additional attack surface.

    If the OpenID letter is correct, there are exploitable vulnerabilities in Apples implementation that could be demonstrated. If they are not correct, they could just be angry Apple is leveraging its TEE to assert it doesn't need governance from this standards body because the standard is written for products without a separate hardware keystore.

  • by blue_devil on 6/29/19, 9:07 AM

    This might answer some questions: https://openid.net/connect/faq/

    Also

    >Are there live production deployments of OpenID Connect? Yes. Some examples include Google, Gakunin (Japanese Universities Network), Microsoft, Ping Identity, Nikkei Newspaper, Tokyu Corporation, mixi, Yahoo! Japan and Softbank. There are also mature deployments underway by Working Group participant organizations, such as Deutsche Telecom, AOL, and Salesforce.

    For an example of OpenID Connect at work, look at Google+ Sign-In, Google’s flagship social-identity offering, which is entirely based on OpenID Connect.

  • by toyg on 6/29/19, 8:59 AM

    I guess (hope?) this is actually as a result of some communication failure or refusal behind the scenes. Otherwise it would look pretty rude.

    Some sort of accompanying commentary from OIDF people, explaining the reasoning behind the letter, would be appreciated.

  • by jchw on 6/29/19, 12:15 PM

    Everyone is obviously focusing on the certification suggestion, but they also went and made a nice document of “bugs.” If Apple does anything, patching some of the larger deviations would be great, just out of sheer convenience. Third-party auth libs already have enough exception cases for specific services...

  • by slics on 6/29/19, 2:03 PM

    It’s not an issue with $15k or if apple can pay or not. I think it’s the issue of Apple vs. Open in general. Apple’s echo system is closed to the world.

  • by frenchman99 on 6/29/19, 8:41 AM

    They basically just asked Apple to give them 15K$, which is the cost of membership for a company of more than 100 employees [0].

    Is it currently not possible to use standard OpenID clients for "Sign-in with Apple" authentication ? Does Apple not provide some sort of SDK that makes this easy ? And if so, what is the advantage of "Sign-in with Apple" being interoperable ?

    [0] https://openid.net/foundation/members/registration

  • by nereid on 6/29/19, 9:37 AM

    It is not just ask for money, They are proposing that Apple use the standard and make public they use the standard, It could boost openid as no other could make.

  • by ForHackernews on 6/29/19, 9:59 AM

    ITT: People who benefit from standard protocols and use OpenIDConnect every single day without realizing it complaining that the world's first trillion dollar company might have to pay 0.000015B.

  • by jjtheblunt on 6/29/19, 9:01 PM

    Perhaps Apple has intentionally NOT jumped on the OpenID effort without tweaks, for the following reason?

    Quoting wikipedia for convenience:

    "OAuth 2.0 has had numerous security flaws exposed in implementations.[17] The protocol itself has been described as inherently insecure by security experts and a primary contributor to the specification stated that implementation mistakes are almost inevitable.[18][19]".

  • by huffmsa on 6/29/19, 12:27 PM

    Par for the Apple course isn't it?

    > Oh, you've all agreed on USB type-c? Well we're going to use thunderbolt. Except for when we don't and our customer have to buy a type-c to thunderbolt adapter.

    > Two button mouse with a scroll wheel? How about a 1 button mouse that you click with two fingers.

    > Linux? Sure, but it's called MacOsx and doesn't have a native package manager.

    They've always done stuff like this.

  • by pyman on 6/30/19, 10:10 AM

    One of the biggest benefits of building a close platform is that you have the freedom to ignore open letters like this one.

  • by MaxBarraclough on 6/30/19, 10:19 PM

    Sounds like another case of Apple doing things in a nonstandard way for little reason, getting the security wrong, and paying the price. A while back, their iMessage system was found to have rather serious security issues. Same same.

    'Not Invented Here syndrome'.

  • by alt_f4 on 6/29/19, 11:45 AM

    I'm surprised how many people seem to have a huge problem with Apple, a 910 billion dollar company, paying 15k towards a membership of an organization that underpins the major ideas in their software implementation. That's, what, a single Mac Pro?

  • by Sephr on 6/29/19, 8:55 AM

    "Therefore the OpenID Foundation invites Apple to: [...] Join the OpenID Foundation"

    It's not really an "invitation" if they expect Apple to give them money.

  • by marmada on 6/29/19, 2:09 PM

    It's interesting to see the pro-Apple bias on Hackernews, if some other company tried to avoid integrating with existing standards, thus hurting interoperability I bet HN would throw a fit.