Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re: PerlMonks OpenID provider?

by dHarry (Abbot)
on Sep 18, 2008 at 11:56 UTC ( [id://712246]=note: print w/replies, xml ) Need Help??


in reply to PerlMonks OpenID provider?

My concern is the security part. How secure is this OpenID? I read some stuff on identityblog on OpenID and I am not sure what to make of it. For submitting a Perl post on a forum I can probably live with the level of security. (Loggon on to the Monastery means submitting your password over http which is also not particular safe).

But OpenID will most likely quickly turn into a silver bullet (IT history is full of examples) and be (over)applied to any authentication/authorization problem. I would like to know more about it before I go gung-ho on OpenID. It does look like an interesting initiative though (at first sight).

Replies are listed 'Best First'.
Re^2: PerlMonks OpenID provider?
by mr_mischief (Monsignor) on Sep 18, 2008 at 13:58 UTC
    An interesting security aspect of trust-based authentication is that authentication for every site using it is only as secure as the least secure trusted site.

    I'm not very familiar with OpenID as the buzzword du jour, but I'm guessing a site administrator can specifically distrust authentication information from particular sites. That's a good security move. When you start broadly wild carding denials or switching over to explicit acceptance instead of explicit denial then it's not exactly "open" any longer. It just becomes a small ring of trust, which is frankly not that exciting to me.

    I mean, do you really want to trust Bob's Computer Shop to allow logins to your site? Slashdot? 4chan? If Business Week is suffering from SQL injection attacks on their main page, do you really want all their blog commenters to log in all over the rest of the web with trust credentials?

      "I mean, do you really want to trust Bob's Computer Shop to allow logins to your site?"

      Why wouldn't you? For the average site (like the one mentioned in the OP), it really doesn't matter who handles authentication (not authorization). Now let's leave banks and websites like that out of the question. Digg? Slashdot? Perlmonks? JoeSchmoe-Forum? Does it really matter who handles authentication?

      Sure, Bob's Computer Shop could be faking credentials, but with regular password based authentication on your own site, you're really no better off. (Palin's Yahoo! mailbox anyone?). With sites like bugmenot.com, password based authentication is definitely no better IMHO.

      But I'd like to hear some arguments of the "haters" :)

      --
      b10m
        Flippantly calling people "haters" because they see legitimate flaws in something you like is as offensive and juvenile as calling people "fanbois" because they see legitimate benefits in something you dislike.

        The difference between OpenID and independent authentication is that if PM was compromised as an independent site, just PM is affected. If it was compromised as an OpenID provider, then everyone who accepts its authentication information is affected until the situation is noticed.

        It makes OpenID providers sweet targets not just for what their sites offer on-site, but for who trusts their credentials. The consumer as the real target of an attack will not just have their own software and network as attack vectors, but all the software and all the networks of every site they trust. When the weakest one falls, there are people with illegitimate access to the real target even if their security was otherwise flawless.

        I'll use your example of Governor Palin's weak password which was guessed by the son of a political rival. We can either have the Governor's personal email compromised and stop at that, or we can have some punk kid posting all over the Internet as the Governor of Alaska for a couple of days before people realize what is happening. I certainly know which I prefer.

        It's bad enough that by having all of Yahoo under one login structure he could have impersonated her rather than exposing her email messages. This kid could have signed her up for personal ads and joined potentially objectionable discussion groups. He could have participated in sexually charged chat as her in the chat rooms and used Yahoo messenger to start flirting with state interns. Then, instead of showing that her account was compromised, he could have just announced what the account had done and who the account holder was. That could have been a much bigger political scandal than what came to pass.

        Why wouldn't you? For the average site (like the one mentioned in the OP), it really doesn't matter who handles authentication (not authorization). Now let's leave banks and websites like that out of the question. Digg? Slashdot? Perlmonks? JoeSchmoe-Forum? Does it really matter who handles authentication?
        To me it does matter. If it's not secure, somebody could easily log in as moritz, and with a few writeups could destroy the reputation (and perhaps even trust) that I built by writing more than 2000 posts. (By reputation I don't mean XP right now).

        Loosing the account would be very bitter, and I'm quite sure that frequent users of other sites think similarly.

        If a site isn't important to you, you can post as Anonymous Monk or "Anonymous Coward" or with a bugmenot account. If it is important to you, then security matters for you.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://712246]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others admiring the Monastery: (3)
As of 2024-04-25 17:15 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found