Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: OpenID. The future of authentication on the web?
From: "Petko D. Petkov" <pdp.gnucitizen () googlemail com>
Date: Sun, 23 Mar 2008 14:52:53 +0000

Hi Steven,

I guess most 1337 hax0rs will flame you on this list. There are good
security blogs you can follow and learn from instead. Full-disclosure
is for rants and bashing only!

I can point you to some articles that I wrote regarding OpenID,
however, let me share my thoughts quickly as that will save you some
time and of course if you are still curious you can go research

First of all, OpenID is a very simple but rather useful technology.
With OpenID you have only one account, your ID, which you can use
everywhere where the OpenID technology is supported. It is not clear
whether this setup is more secure from what we have at the moment
(every site forces you to register unique username/password pair) but
it is definitely more convenient. The first argument "for" OpenID is
that the more you share your secrets, credits card information,
usernames, password, the higher the chances this information to be
leaked or stolen. On the other hand, OpenID is prone to phishing
attacks so user education is required.

Think about OpenID as the equivalent of PayPal for authentication. In
theory, it is more secure to pay through paypal as you are not sharing
your credit card information with everyone else but a single provider.

I am all "for" OpenID as you can spend good time on securing a single
system. If the OpenID provider is not vulnerable to common Web attacks
and it provides good privacy mechanisms such as SSL and the top of
which are build good authentication features such as one-time tokens,
etc.... then OpenID is the preferable choice. Keep in mind though,
that if your OpenID account is hacked, the attacker will be able to
login as you anywhere they want. This is the main concern and


P.S. dear list, the only reason I am not priv-massaging Steven is
because I believe that there are other people who are interested in
this topic. So, instead of wasting valuable resources and energy
answering everyone individually, I've decided to do it once hoping
that this message will be seen by others. Thanks!

On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick <stevenrakick () yahoo com> wrote:
Hello list,

 I'm curious what the group thinks about the recent
 surge in support for OpenID across the web and the
 impact it will have.

 1) Beemba - http://www.beemba.com
 2) ClaimID - http://www.claimid.com
 3) MyOpenID - http://www.myopenid.com
 4) Many others...

 These sites are gaining in popularity quickly and with
 the announcements of support from big players Yahoo,
 AOL, Microsoft and Google, combined with smaller
 web2.0 celeb-run sites like Digg, OpenID appears to
 what will eventually be the norm.


 I've also noticed that many of these sites are
 bundling Information Card support (CardSpace on
 Windows). Sounds like a good idea as it compliments
 OpenID and helps address some weaknesses.

 Again, any thoughts?

 I'm really just interested in a dialog.


 Never miss a thing.  Make Yahoo your home page.

 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters

gnucitizen.org | hakiri.org | spinhunters.org

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]