The dangers of openID
Posted by Jorge Bernal August 13, 2007
Since I first knew about openID it sounded like a tremendously great idea for me. I’ve wanted a distributed login system like this for years, but nothing is perfect. We all now the advantages: you aren’t tied to a single company to handle your data, are you?
Well, if you don’t want (or can’t or don’t know how) to setup your own openID server you will have to use a hosted system. Having one common authentication system for all the web services you use is a great thing, but we have to be aware this represents a single point of failure. I don’t rely on this system to get my work done, but this error shown above could have been a real problem for me if I had.
Loading ...
It’s true that in this case, if claimid.com goes down, you’re in a bit of a pickle. However, if your personal page is at foo.com you could use that domain as your openid url and have it delegate to any other openid provider you choose. So, if provider 1 goes down, you can just switch your delegation to another place on which you have an account.
Here’s a link with more info:
http://www.windley.com/archives/2007/02/using_openid_delegation.shtml
Well *actually* there are pretty serious dangers in using OpenID as an authentication system.
Here’s a brief discussion thread about the dangers of using it as a SSO system http://lists.laptop.org/pipermail/server-devel/2007-July/000083.html
And even if you use it for your blog comments and such (it’s original purpose) http://www.links.org/?p=187
To clarify — I am writing/rewriting an openID plugin for moodle anyway because laptop.org is going to use it (though in a *different* way that should make it safer). The protocol is *shocking* from a security perspective if used for web-based SSO. The links above point to Ben Laurie — whose code and expertise in security infrastructure we all trust, whether we know or not – look at the credits for apache-ssl
wow, that one scared me. I didn’t know about that, thanks
hi nice post, i enjoyed it