This is a thought experiment on the interaction between Tor, OpenID and one (or more) compromised nodes in the secure path. I'm focused on how to use technology in a way that adds value to a secure cloud solution. I have no interest in using this technology for nefarious purposes.
Use case
Suppose I have a multi-tenant server where each customer determines the visibility of their domain. For example: x.myhost.com
can choose to be "public" and xyz.myhost.com
is private and only accessed by a hidden .onion
address.
As I understand it there are two ways for a server to interact with Tor:
- Do nothing, use SSL, and trust that the last exit node has not been compromised
- "Hook" into the Tor network using a hidden service and a .onion address
Threats
From what I understand, the session is vulnerable to a compromised .EXIT node. Some hacks I've read about include:
- disclosure of data protected by SSL
- Loss of anonymity if the user uses many services over the same Tor network, enabling correlation
Question
Now that the world is moving to claims-based authentication, SAML, and OpenID, how should Tor be used with these technologies, considering that .exit nodes could be compromised? Given that correlation hacks exist, should OpenID/SAML be used at all? Some questions that affect architecture include
- Is public OpenID less secure than those with forms-based authentication?
- Does using OpenID/SAML enable session correlation? Are some OpenID providers better than others?
- Should the OpenID/SAML server has a .onion address? Will that help prevent correlation attacks?
- Are there benefits of using a public OpenID server (Google/Yahoo) to a private one (Microsoft ADFSv2)