LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-01-2007, 08:19 AM   #1
rickh
Senior Member
 
Registered: May 2004
Location: Albuquerque, NM USA
Distribution: Debian-Lenny/Sid 32/64 Desktop: Generic AMD64-EVGA 680i Laptop: Generic Intel SIS-AC97
Posts: 4,250

Rep: Reputation: 62
Is OpenID secure?


http://openid.net/

I'm opening this thread because Jeremy's LQWiki-OpenID announcement is being overwhelmed by questions about the potential security issues. I'm not sure this is the correct forum, but I trust that can be addressed if it's desirable.

OpenID is an open source replacement for Microsoft's failed "passport" concept. It is fairly new and, as such, security is an issue. On the other hand, it has captured the imagination of a lot of high level developers for whom such a universal login technique would be extremely valuable.

My general advice to people who are concerned that someone might get their password and take advantage of it somehow is this. Consider what your OpenID password is protecting. Right now, it's generally the privilege to post on forums at which you are not registered. That's not really high level stuff.

Don't use the same password for your OpenID identity that you use for your bank account, or your root login, or anything that guards critical information.

My own position is that this idea is a great area for development, and I want to encourage it. Personally, my rule of thumb for the time being is that I will register at no more discussion sites unless they allow that registration via OpenID.

Last edited by rickh; 03-01-2007 at 08:39 AM.
 
Old 03-01-2007, 09:28 AM   #2
Jaqui
Member
 
Registered: Jan 2006
Location: Vancouver BC
Distribution: LFS, SLak, Gentoo, Debian
Posts: 291

Rep: Reputation: 36
OK, I'll bite

No it's not.
It's on the INTERNET therefore it is not secure.
[ packet sniffers, caching on proxies, packet forwarding bots all make the internet not secure ]

The technology behind openid may be secure, but any data transmission outside of a secure tunnel is not secure.


I think a better way to phrase it would be, is foo openID service provider secure?
[ keeping in mind that Ebay and Amazon were both recently hacked ]
We would still have to say that the inherent non security of the internet means no they are not secure.
 
Old 03-02-2007, 11:32 AM   #3
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
The concept of security very often depends on what you are guarding. I sincerely doubt OpenID will be used at any point in the near future for any sort of e-commerce. It would be nice, but there are too many questions with a decentralized system.

A centralized form with transactions protected by SSL would be far more secure... or even SSL on a decentralized system where the SSL certificates are signed by a central OpenID authority.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
The LQ Wiki Now Supports OpenID jeremy Linux - News 46 04-16-2007 10:08 AM
Logging in using OpenID rickh LQ Suggestions & Feedback 10 03-22-2007 02:42 PM
how can I secure my nis server ?can I use openSSL to secure it form sniffing ? abhi_raj Linux - Networking 1 07-10-2006 06:19 AM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration