openid?
October 6, 2009 11:02 AM

should I get an openID? Do you have one?

as I understand it so far:

advantages:
-convenience of not having to remember dozens of logins when I visit sites online. As I understand it, I just type in my openid url.

cons:
-this seems like a real security threat. Whether from phishing scams and fake redirects on questionable websites, to just having a bunch of my logins in a central openid location which if compromised is rather like losing my online wallet.

Thoughts? Recommendations? Thanks!!
posted by jak68 to Computers & Internet (22 answers total) 2 users marked this as a favorite
I have an account I haven't used in about a year, but unless they've changed something I'm pretty sure it doesn't store your passwords at all - other than your openid password itself. What it does is provide you with a singular login (and password) that a bunch of sites will accept.
posted by Xany at 11:08 AM on October 6, 2009


ok, so for instance, as openid.net explains, can you tell me if I've understood this right?

As I understand it, if I already have, say, a yahoo account, and am currently logged into my yahoo account, when I go to another website which has "login with a yahoo account" on it, I can basically click that and use my yahoo login, which is functioning basically as an openid login, and so, so long as I'm logged into yahoo, I can, with a click, log into all the websites which accept the yahoo login.

Is that right?

The reason I'm looking at the yahoo thing is because, a) I have a yahoo account already; b) openid.net says in effect then I already have an openid account; c) since yahoo is affiliated/owns flickr, if the website i'm at is looking for an openid url, then I can just put in the url as www.flickr.com/username, and if i'm logged into flickr, then thats all i need at the given website. So for me it means i dont really need to get any other separate openid account anywhere.

So basically is that the idea? that if I'm already authenticated at yahoo then these other sites are basically saying they'll accept that as their own login?

And hence no other passwords are stored anywhere else and etc? So is that basically how it works? (Sorry, i'm new to this concept!)
posted by jak68 at 11:14 AM on October 6, 2009


I ... *scratches head* ... this is a good question. I just had a look at their website and it appears that how it works for livejournal OpenIDs (which I used) is slightly different from Yahoo. LJers get a "Sign in with OpenID" box rather than a "Sign in with Yahoo" ... but Flickr works the same way so believe you have it right, yes.

In any case there isn't any password storage anywhere on OpenID itself.
posted by Xany at 11:25 AM on October 6, 2009


What it does is provide you with a singular login (and password) that a bunch of sites will accept.

Right, so how is this not a security threat? All a person needs is one login and password to access all of your stuff.
posted by desjardins at 11:25 AM on October 6, 2009


It's a security threat, but I don't know if it matters practically. Most websites with their own logins are only as secure as your email anyways, since you can use password reset.
posted by smackfu at 11:38 AM on October 6, 2009


Yeah, I was wrong about that part. Apparently all it is is a system to allow you to use your existing username (from whatever site) to login to other sites.
posted by Xany at 11:39 AM on October 6, 2009


Right, so how is this not a security threat? All a person needs is one login and password to access all of your stuff.

Your password never goes to the sites that are using OpenID authentication. The three parties (you, the provider of authentication and the target website) all collaborate to authenticate you. In essence, if you are trying to visit say stackoverflow.com and use yahoo.com to be your openID provider, you are asking yahoo.com to vouch for your identity. yahoo produces something to the effect of "hey stackoverflow.com this user is Mr. Blahblah". stackoverflow.com can check that this vouching is correct but can't use this to impersonate you at nytimes.com or someplace else.
posted by mmascolino at 11:51 AM on October 6, 2009


mmascolino, why couldnt they use it? I mean, all they need is that url, right? which they have soon as I type it in.
Then they go to another openID site, type in the same url, and if I havent caught on and logged out of yahoo, poof-- they're in.
And if I later change my password at yahoo, would that really 'break' their ability to get in soon as I log back into yahoo?

What am I missing? Seems like all they need is my flickr url, or for me to be logged into yahoo, for them to access all my logins with my openid url.
posted by jak68 at 11:55 AM on October 6, 2009


They need your flickr URL and they need to be logged into Yahoo.

Like I just tried to use Yahoo OpenID authentication at Stack Overflow, and they sent me to Yahoo, and Yahoo gave me a login page. I can't get any further without logging in. This does put all your eggs in the Yahoo basket though, which was the discussion upthread.
posted by smackfu at 12:29 PM on October 6, 2009


Not exactly, you being logged into Yahoo/Flickr does not mean that the attacker is also logged into your Yahoo account in another browser session on another machine. It is the same logic that prevents an attacker from reading your Yahoo email from another browser just because you are logged in at that moment.

Referring to this explanation: http://openid.net/get-an-openid/start-using-your-openid/

In step three, the authentication check occurs on the OpenId provider's site, not the site you are attempting to access. In other words, Yahoo will prompt you with a login screen if you're not logged in to Yahoo/Flickr for that browser session.

Your other concerns may be more valid:

Single sign-on means only one password to guess/crack - use a strong password, change it frequently. Arguably, having one sign-on to update makes it more likely you'll follow those best practices.

Phishing scams - it doesn't seem there is anything preventing a attack site from redirecting you to a fake provider site. I suppose your only defense would be standard phishing precautions: ensure https, confirm the address bar, verify the certificate.
posted by Loser at 12:36 PM on October 6, 2009


thanks smackfu.

one last question (for me anyway) -- did you get sent to the yahoo login page regardless of whether you were already logged in at yahoo? (This would make more sense to me i guess).
posted by jak68 at 12:37 PM on October 6, 2009


Having all your eggs in one basket is the thing that worries me about open id, if your chosen openID supplier closes shop or your account is locked out for any reason (e.g. too many wrong password attempts) then you will be locked out of *everything*.
The alternative is to just generate your own set of passwords using an open hash algorithm you can find in multiple places.
posted by Lanark at 12:50 PM on October 6, 2009


OpenID is a mess. It's kinda like a kerberos for the web, where everyone just decides to allow anyone to act as a realm.

There si exactly one way sane way to implement openID, in multiple steps:

1. Buy a domain, and an SSL certificate for it. This domain is your openID.
2. Find some hosting for this domain. Preferably with exclusive access so only you can touch it.
3. Install a password authentication system.
4. Place an OpenID delegate link in your official openID page to the installed auth system.
5. Make sure both your openID URL the authentication delegate use HTTP and are secure.
6. Cry as you realize that few of the openID providers you could have delegated to instead will accept your openID.

This setup allows you to own your identity, and delegate authentication only to trusted individuals. Except it costs you hosting, domains, and certs. You might notice Verisign is a sponsor of openID. You now know why.
posted by pwnguin at 1:48 PM on October 6, 2009


Err,

5. Make sure both your openID URL the authentication delegate use HTTPS and are secure.

That S is pretty important if you don't want someone to fake your openID to someone else.
posted by pwnguin at 1:52 PM on October 6, 2009


thanks for the great info everyone. I was afraid it wasnt going to be simple. :( I think ima sticking with Roboform for now :/
OpenID is a nice idea, and maybe its worthwhile for less sensitive sites that I visit around the web, but I'm glad to know its limits too.
posted by jak68 at 2:01 PM on October 6, 2009


It's not too bad, if you happen to already do most of the things on the checklist. It was designed as a system for bloggers, after all, who will have a blog (1) of their own, and an existing blog authentication system (2) already in place. Admittedly, I don't yet have an SSL cert and delegate the auth to LJ.

There are services that will host openID for you, should you desire. But you have to consider their own security and trustworthiness. Systems like Roboform and PwdHash are a bit simpler if you're not yet a full netizen, and include safeguards against phishing.
posted by pwnguin at 2:22 PM on October 6, 2009


Personally I got an OpenID from Yahoo to see what all the fuss is. I only use it at one other site and I find it a complete pain in the butt. It's a long URL of mostly-random characters that I have to copy and paste and would have no hope of ever remembering if I needed to.
posted by IndigoRain at 5:35 PM on October 6, 2009


That's why you register a domain, so you can remember it and own it. Hopefully you don't register a long string of mostly-random characters.
posted by pwnguin at 10:11 PM on October 6, 2009


IndigoRain: You don't have to remember your personal Yahoo! OpenID URL; you can just type in 'yahoo.com' as your OpenID identifier and it'll still work. (This is the discovery step of the protocol at work.)
posted by chrismear at 3:53 AM on October 7, 2009


Incidentally, the other side of the security argument is that with OpenID you aren't giving out your password to every random website with dubious security. Doesn't matter if you use a different password at every site of course, but how common is that among the general public?
posted by smackfu at 5:29 AM on October 7, 2009


chrismear: "IndigoRain: You don't have to remember your personal Yahoo! OpenID URL; you can just type in 'yahoo.com' as your OpenID identifier and it'll still work. (This is the discovery step of the protocol at work.)"

Huh. I'll have to try that.

pwnguin: "That's why you register a domain, so you can remember it and own it. Hopefully you don't register a long string of mostly-random characters."

No, Yahoo generated something like me.yahoo.com/longassstringofrandomness.
posted by IndigoRain at 9:04 PM on October 7, 2009


HA! It worked. That's just crazy. Well then, it's simpler than I thought.
posted by IndigoRain at 9:06 PM on October 7, 2009


« Older Living abroad and can't access Gmail or Facebook -...   |   We don't want to acknowledge the mistake, so we're... Newer »
This thread is closed to new comments.