LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Is OpenID secure? (https://www.linuxquestions.org/questions/linux-security-4/is-openid-secure-533580/)

rickh 03-01-2007 08:19 AM
Is OpenID secure?
 
http://openid.net/

I'm opening this thread because Jeremy's LQWiki-OpenID announcement is being overwhelmed by questions about the potential security issues. I'm not sure this is the correct forum, but I trust that can be addressed if it's desirable.

OpenID is an open source replacement for Microsoft's failed "passport" concept. It is fairly new and, as such, security is an issue. On the other hand, it has captured the imagination of a lot of high level developers for whom such a universal login technique would be extremely valuable.

My general advice to people who are concerned that someone might get their password and take advantage of it somehow is this. Consider what your OpenID password is protecting. Right now, it's generally the privilege to post on forums at which you are not registered. That's not really high level stuff.

Don't use the same password for your OpenID identity that you use for your bank account, or your root login, or anything that guards critical information.

My own position is that this idea is a great area for development, and I want to encourage it. Personally, my rule of thumb for the time being is that I will register at no more discussion sites unless they allow that registration via OpenID.

Jaqui 03-01-2007 09:28 AM
OK, I'll bite ;)

No it's not.
It's on the INTERNET therefore it is not secure.
[ packet sniffers, caching on proxies, packet forwarding bots all make the internet not secure ]

The technology behind openid may be secure, but any data transmission outside of a secure tunnel is not secure.


I think a better way to phrase it would be, is foo openID service provider secure?
[ keeping in mind that Ebay and Amazon were both recently hacked ]
We would still have to say that the inherent non security of the internet means no they are not secure.

Matir 03-02-2007 11:32 AM
The concept of security very often depends on what you are guarding. I sincerely doubt OpenID will be used at any point in the near future for any sort of e-commerce. It would be nice, but there are too many questions with a decentralized system.

A centralized form with transactions protected by SSL would be far more secure... or even SSL on a decentralized system where the SSL certificates are signed by a central OpenID authority.


All times are GMT -5. The time now is 01:27 PM.