Full Disclosure mailing list archives
Re: OpenID. The future of authentication on the web?
From: reepex <reepex () gmail com>
Date: Sun, 23 Mar 2008 17:33:41 -0500
thats right pdp - go run to your protected lists and blogs where you don't have to hear anything negative and where you can flame people without contest who talk against you. you are another Bill O Reilly and everyone thinks of you as such. enjoy your sheep. On Sun, Mar 23, 2008 at 9:52 AM, Petko D. Petkov < pdp.gnucitizen () googlemail com> wrote:
Hi Steven, I guess most 1337 hax0rs will flame you on this list. There are good security blogs you can follow and learn from instead. Full-disclosure is for rants and bashing only! I can point you to some articles that I wrote regarding OpenID, however, let me share my thoughts quickly as that will save you some time and of course if you are still curious you can go research further. First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. The first argument "for" OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. I am all "for" OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc.... then OpenID is the preferable choice. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. pdp P.S. dear list, the only reason I am not priv-massaging Steven is because I believe that there are other people who are interested in this topic. So, instead of wasting valuable resources and energy answering everyone individually, I've decided to do it once hoping that this message will be seen by others. Thanks! On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick <stevenrakick () yahoo com> wrote:Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr____________________________________________________________________________________Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? fabio (Mar 23)
- Message not available
- Re: OpenID. The future of authentication on the web? Kern (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 23)
- Re: OpenID. The future of authentication on the web? reepex (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Pedro Hugo (Mar 24)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 24)
- Re: OpenID. The future of authentication on the web? reepex (Mar 23)
- Re: OpenID. The future of authentication on the web? Kurt Buff (Mar 23)