Slashdot Mirror

Try accessing this URL while logged in to Yahoo.

https://developer.yahoo.com/yql/console/?q=select * from social.profile where guid = me

Are you able to harvest a phone number using YQL?

I was. Disturbingly, even after "deleting" the phone number from my Yahoo profile, the query result still includes a phone number.

On a related note, I wish Yahoo would at least properly implement OpenID Connect before delving into more exotic login scenarios.

If I am resposible for watching reports for multiple sites (I don't want to learn 10 different url/username/password combos for 10 different dashboards + learn to use each one of them)

That's more of an argument for the dashboard provider being an OpenID relying party than for e-mailed reports, so that it can accept logins from Google, AOL, Yahoo, Ubuntu SSO, Myspace, LiveJournal, WordPress, or what have you.

If I need to forward the report to someone else [or] need someone else to temporarily take over watching the reports

Then add the recipient's OpenID identifier as an additional viewer of your dashboard.

If I need to see backwards in history and the dashboard doesn't provide that (as already mentioned above)?

Then request that from your dashboard provider.

If the dashboard is continuously "improving", i.e. they keep hiding the things I want to see every two weeks.

Then report that as a bug to your dashboard provider. The same thing would happen when the format of a static report changes and it leaves out a section on which you have been relying.

Here is the problem: You constantly hear about don't use the same password on every site. Ok, makes sense, except that a lot of people have login information to 100+ websites. Sure that are tools like keepass or lastpass or whatever, but then you just need to break 1 password to have access to them all

Yeah, if only there was a solution to that problem... Oh wait, there is, it is called "OpenID", just turned out multiple sites want to only act as OpenId providers and fewer sites are willing to act as OpenId relays.

...

Running your own openid server is rather simple if you're willing to install some packages.

For fucks sake, a simple google search results in the following first link: http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server

many of those listed on that page are either no longer actively maintained, hard to administer or requires a web server besides it making it even more work to set up and administer.

...

Running your own openid server is rather simple if you're willing to install some packages.

For fucks sake, a simple google search results in the following first link: http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server

You don't even need to set up an OpenID server. Set up a url, put the delegate tags to point to some other server that handles all the delegation. When stackoverflow.com starting using OpenID for authentication, MyOpenID was their recommended provider. I read up a bit before signing up and figured out how to do delegation from my own domain name. Now that OpenID is shutting down, I could set up my own server, but I could also just point the delegate information to another OpenID server, or point it to StackExchange, which has become it's own OpenID provider.

I have thought of doing that but but then openID providers come and go as seen by the subject of this thread. Also I don't want to use others as they can be used by the provider to, effectively, track you web usage. As my goal is to be A) independent of others services and B) to not be tracked on the web using a openid referrer does not mesh with my goals.

You don't even need to set up an OpenID server. Set up a url, put the delegate tags to point to some other server that handles all the delegation. When stackoverflow.com starting using OpenID for authentication, MyOpenID was their recommended provider. I read up a bit before signing up and figured out how to do delegation from my own domain name. Now that OpenID is shutting down, I could set up my own server, but I could also just point the delegate information to another OpenID server, or point it to StackExchange, which has become it's own OpenID provider.

This is the basic goal of http://openid.net/
Using facebook's auth mechanism is mostly just a flavor of this.

Though see also http://supergenpass.com/

I don't know any of my passwords. I just know my supergenpass phrase.

http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server

You can be anyone you want if they use OpenID and you have a server setup.

firstly, it would be a good thing for Chrome to generate passwords, but I'd like to see it store them in a keepass DB file instead of holding it Chrome itself or on Google's servers.

Secondly, OpenID means you don't have to use Google as a provider. Seriously, what is with the 'one password to rule them' bullshit. Use MyOpenID or MyId or Verisign. Or implement your own provider and use that, then you can be the big bad nasty sociopath and volunteer your own ass for Russian hookers.

Come on here and post, but at least try to sound like you have more sense than an immature 14 year old.

firstly, it would be a good thing for Chrome to generate passwords, but I'd like to see it store them in a keepass DB file instead of holding it Chrome itself or on Google's servers.

Secondly, OpenID means you don't have to use Google as a provider. Seriously, what is with the 'one password to rule them' bullshit. Use MyOpenID or MyId or Verisign. Or implement your own provider and use that, then you can be the big bad nasty sociopath and volunteer your own ass for Russian hookers.

Come on here and post, but at least try to sound like you have more sense than an immature 14 year old.

OpenID wasn't created by nor owned by google. It was created by LiveJournal and "run" by a bunch of different people/companies: yahoo, microsoft, symantec, paypal, facebook and so on. It has also been available for years before google jumped in. There are many ways to authenticate as well, not just single password logins.

Here is an official list of recommended providers: http://openid.net/get-an-openid/

And probably anyone can access it through OpenId (S/A/L), same for Facebook, Yahoo, and anyone who supports OpenId.

"OpenID is rapidly gaining adoption on the web, with over one billion OpenID enabled user accounts and over 50,000 websites accepting OpenID for logins. Several large organizations either issue or accept OpenIDs, including Google, Facebook, Yahoo!, Microsoft, AOL, MySpace, Sears, Universal Music Group, France Telecom, Novell, Sun, Telecom Italia, and many more.

Who Owns or Controls OpenID?

OpenID was created in the summer of 2005 by an open source community trying to solve a problem that was not easily solved by other existing identity technologies. As such, OpenID is decentralized and not owned by anyone, nor should it be. Today, anyone can choose to use an OpenID or become an OpenID Provider for free without having to register or be approved by any organization."

http://openid.net/get-an-openid/what-is-openid/

"openid.ax.required
(required) Specifies the attribute being requested. Valid values include:

"country"
"email"
"firstname"
"language"
"lastname"

To request multiple attributes, set this parameter to a comma-delimited list of attributes.
"

http://code.google.com/intl/hu-HU/apis/accounts/docs/OpenID.html

An OpenID server is just a regular web page (or set of pages) that receives a request from the site you're trying to login to.
You just have to install a web server (Apache or Lighttpd will do fine), possibly an SQL server to store your info and an OpenID server (in PHP, Python, etc). The OpenID Wiki has a list of servers.
If you already have a LAMP server, installing the OpenID is just a matter of copying the files and possibly setting up the database - depends on the specific server you choose, but it should have instructions anyway.

In my case, I don't actually run an OpenID server, I just changed my homepage HTML to delegate OpenID requests to myOpenId.com
I just had to insert the following tags:

<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="http://icebrain.myopenid.com/" />
<link rel="openid2.local_id" href="http://icebrain.myopenid.com" />
<link rel="openid2.provider" href="http://www.myopenid.com/server" />

This tells the site that makes the request to authenticate me that he should ask MyOpenID instead. The nice thing is that it's my URL that is associated with my profile, so I can change my provider without having to change any login info in any third-party website.

Have you tried? Its one of those 'silent' technologies where a site allows OpenID auth and make no big fuss over it.

Google and Facebook are OpenID providers as well as clients. Client sites include Sourceforge, the telegraph newspaper, StackOverflow, and many others. Look out for the little logo next time you go to sign in somewhere.

Of course, some sites (like yahoo) are openID providers so you can use your yahoo id as an openid id, but do not let other openid ids login to their sites.

apparently 9 million sites support it according to openid.net in 2009.

It's called OpenID, http://www.openid.net./ [www.openid.net] move along, nothing to see here.

The problem with OpenID is that, while lots of big sites will let you use your account with that site as an OpenID (acting as OpenID providers), fewer actually accept foreign OpenID for logon.

Everyone wants their accounts to be the web's single-sign-on, but almost no one big wants to accept sign-ons from elsewhere.

It's called OpenID, http://www.openid.net./ move along, nothing to see here.

One leak of the OpenID db, one PFY with a grudge, one Swedish website later and we're all screwed. Plus whoever owns OpenID knows every site you visit and the frequency. Keep it.

The answer to all of those: just run your own - that way it's under your control from the start.

There used to be a time that you could easily host your own OpenID with e.g. http://siege.org/phpmyid.php
You point to http://yoursite.example.com/ instead of the one from Google or any other OID provider.
That way you limit the chance of giving somebody else access as you manage your own login and password.

Some others might be found here : http://openid.net/developers/libraries

Always a great idea. Windows registry anyone?

It doesn't actually have to be a single point of failure though... What ever happened to OpenID?

The article is bad. They're actually attacking the HMAC, not the cleartext password. http://lists.openid.net/pipermail/openid-security/2010-July/001156.html

Who controls the data you enter into an OpenID account?

I do. I'm not sure OpenID works they way you think it does.

I'm not even sure how OpenID works. I regularly read the blog entries for MAKE Magazine. One day they switched their commenting system credentials, and it says you can log in with OpenID. Oh, and another page somewhere says that if you've got an account with Google, you've got an OpenID. "Great!", I thought. Except I couldn't figure out how the hell to log in with my google/OpenID to the MAKE blog commenting system.

I'm a software professional. I research and dig through code all the time. I use my Google-fu to find answers. After an hour of surfing, I gave up trying to find the answer to HOW to use my Google acct as an OpenID and log in. I just abandoned the idea of contributing useful comments to the blog. I don't know whether to blame MAKE, OpenID, or myself for not researching for more than an hour.

(In fact, at the moment of this writing, http://www.openid.net/ is answering HTTP requests with some kind of incompete TGZ response content type. wtf?)

Who controls the data you enter into an OpenID account?

I do. I'm not sure OpenID works they way you think it does.

I'm not even sure how OpenID works. I regularly read the blog entries for MAKE Magazine. One day they switched their commenting system credentials, and it says you can log in with OpenID. Oh, and another page somewhere says that if you've got an account with Google, you've got an OpenID. "Great!", I thought. Except I couldn't figure out how the hell to log in with my google/OpenID to the MAKE blog commenting system.

I'm a software professional. I research and dig through code all the time. I use my Google-fu to find answers. After an hour of surfing, I gave up trying to find the answer to HOW to use my Google acct as an OpenID and log in. I just abandoned the idea of contributing useful comments to the blog. I don't know whether to blame MAKE, OpenID, or myself for not researching for more than an hour.

(In fact, at the moment of this writing, http://www.openid.net/ is answering HTTP requests with some kind of incompete TGZ response content type. wtf?)

what about if this starts a trend and all online games start to require such?

This business of every application requiring its own password is a problem in itself. (I've got 400 passwords in my Roboform archive!) That's why so many sites are adopting OpenId.

The problem here is if I'm not redirected to PayPal, I'm offering up my palpal authentication information to a third party in the hope that they're going to use it for the transaction I've authorized and nothing else.

If you give your PayPal credentials to a third party and not to a PayPal URL, then yeah... you'll get hacked. No different than a site claiming to support Facebook Connect but showing its own login window instead of Facebook's login window. Or like any OpenID-enabled website. If it doesn't redirect you to the authoritative site you claim to be using, you're screwed.

See OpenID: http://openid.net/

Decentralized universal authentication.

Exactly.

OpenID is suppose to help with that. It seems to be slowly gaining support but is still not nearly pervasive enough. It has the advantage of supporting much stronger multi-factor based authentication if you want it (smartcards, etc) and its decentralized nature means you're not putting all your eggs in one basket like most other single sign on solutions.

I'm just too stupid to understand their "OpenID for Dummies" web site.

Nope. I went there a few weeks ago because I finally found a need for an openID. The site was laughably bad. It's a nice looking site, but heavy on graphics and hype, and skimpy on facts. It was slow. And the "How do I get an OpenID" linked to a few sites I know and many that I wouldn't trust enough to lend them a dead raccoon. When I tried to log in with what they claimed was my openID, the site timed out. I gave up. Screw it, if they can't even authenticate me with the account they told me was a valid openID, then they obviously have no clue.

It's a good idea badly implemented. That website is a pile of steaming crap. Maybe they should skip all the crap on the page about "The OpenID Foundation membership has approved OpenID Provider Authentication Policy Extension 1.0 as an OpenID specification " and other crap nobody cares about and tell me, in a concise fashion, why I'd want an openID and how I can get one. Then back that up with a site that, you know, works.

Also if you really don't trust the OpenID provider you can simply run your own.

Honestly it's not that complicated http://wiki.openid.net/Run_your_own_identity_server

So part of the spec requires my webserver to go *fetch and parse your personal web page* to see if it has a <link rel="openid.server" /> tag in it to meet the spec?

Yeah, pretty much. It's described here.

The standard: http://openid.net/specs/openid-authentication-2_0.html

Sections 7.2 and 7.3 deal with this. Google is, it seems, following OpenID 2.0, as far as indirection is concerned.

It was implied, though, that Google's allowing "username@example.com" rather than the typical "username.example.com". If they want to accept that, fine; but if they want to require that from other people, that's not so great.

I'd really hope that whoever owns the OpenID trademark comes after them and forces them to stop calling whatever they're doing "OpenID". If it's not compatible with an existing specification, it's not OpenID. They will risk seriously devaluing their trademark if they allow incompatible implementations to use the name. They need to be ruthless about this. Google can do whatever it wants and call it "GoogleID", but if it's called "OpenID", it needs to be compatible with everyone else claiming to be that.

http://openid.net/what/ says:

... OpenID is not owned by anyone, nor should it be. ...

And considering the guy that created OpenID (Brad Fitzpatrick) now works for Google, and Google has a seat on the board of OpenID, I don't see much happening

There is a protocol to handle this already, and Twitter could've easily used it instead of randomly handing people whatever username came to mind.

To be honest with you, I'm glad that OpenID or something like it has not taken off. I personally like the "chaotic Internet" where one login credential is entirely separate from another and it's up to me to keep track of them. Keeping up with them is a very tiny burden, I do it gladly, and there are plenty of good tools that make it a breeze. To me, the convenience of a system like OpenID is either non-existant or insignificant, while the privacy implications of not only making it easy to profile my browsing but also of doing most of the profiling work myself are severe. I'm sure that the proponents of OpenID have a long list of reasons why I should not worry about privacy implications, but I'm just not buying it. Once personal data is centralized, it has a nasty tendency to stay that way. That kind of accurate, self-managing, neatly profiled data is a marketer's wet dream.

I'm one of those strange people who does things based on principle and a concept of whether this is really the best solution. So, for example, I block trackers like Google-analytics despite any argument or any evidence which demonstrates that it's really rather harmless. Why? Because I never signed any document or made any agreement giving any entity the right to track me and profile me. Personally, I need no other reason to make such tracking as difficult as possible, so I often laugh when I see the subject come up from time to time and I see all of these intricate arguments about what is and is not tracked and why you should or shouldn't worry about it. To me those are needless complications of what is actually a very simple issue. I assume that everyone has the right to privacy and that any entity which tries to reduce a user's privacy (no matter how benign the stated reason may be) without full disclosure and the express consent of that user is acting like an invasive force and that refusing to go along with it is only right and proper. Isn't that so much easier than all of these rationalizations for why we should accept the loss of privacy as though it were some inevitable landmark along the path of human progress? Beware of the motivations of anyone who wants you to believe that; they either have an agenda or a victim mentality and neither one is any good.

So back to OpenID. The advantage: one-stop management of many online accounts. The disadvantage: yet more centralization of private data and an increased ease with which it could be disclosed (intentionally or otherwise). I will be harshly honest -- I think there is something seductive about promises of convenience and reduced effort (especially for things which are already very easy) and I likewise think that there is something cowardly about people who value such promises more than they value their own freedom and privacy. I am not referring to you personally with that sentence, but rather to the large numbers of people who will gladly trade what is priceless in exchange for what has a price and sincerely believe that they have found a bargain.

There is a protocol to handle this already, and Twitter could've easily used it instead of randomly handing people whatever username came to mind.

This won't solve the problem but the OpenID Community Wiki has a page documenting different ways in which phishing might occur, a well as a collection of recommendations.

Probably in the long term, assuming OpenID becomes popular, it might come down to browser makers to specifically recognise OpenID, and do things like let the user specify who their OpenID provider is so that it can make it really obvious when the user's logging into the correct place. eg. If the browser doesn't start flashing its borders bright pink when the user visits their claimid.com login page, the user might suspect that they're giving their credentials to the wrong website.

My understanding is that one should set up OpenID delegation, which allows you to have a static OpenID but still use third-party providers for the authentication portion. Anyone with a web presence can do this, and it's actually preferred to hosting your own OpenID server since it shows that someone else also vouches that you are who you say you are. Here is some further reading.

Mod parent up!

This question is one that appears to not yet have been raised in the OpenID security discussion. In these times of phishing attacks on OpenID this should bear heavy on the mind.

For more information, this article is a good jumping off point.

As many here have already mentioned, OpenID is only useful when there are lots of web sites that are willing to be an OpenID Relying Party. Microsoft is not. They only want to be a provider -- which is no surprise. Microsoft doesn't want to be open and useful and let you log in with an ID from some other place -- they want to be your identity provider, because they want to be the ones in control of your online identity.

Nice to see that the "kinder, gentler" post-Gates Microsoft is just as ruthless and selfish as ever.

Ask yourself this question: if you have a single sign-on for the web, who would you want managing it for you? For us geeks out there, the answer is simple: run your own identity server. No one controls it but you. For non-geeks ... please, anyone but Microsoft.

No: Does accepting OpenID logins protect me from spam?

There have already been cases of "OpenID spam".

There seems to be a slight misconception in the NY Times article around OpenID being tied to passwords. OpenID does not specify the authentication mechanism for the user to their OpenID Provider which means that we've seen many companies (including Microsoft) experiment with alternative authentication mechanisms atop OpenID. The big benefit OpenID then provides them is that they're instantly able to start letting users use their new authentication mechanism at any site which accepts OpenID logins. More about this over at http://openid.net/2008/08/10/challenges-facing-openid/.

top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group. Of course you can. As long as you control "random URL", you can add OpenID delegation code in your source. Then you can use your random URL as your ID, but still use Facebloggerhoo as backend authentication.

(Yes, deliberately provocative subject. Please read on.)

UseNet originated at a time when a vast portion of its network was built upon store-and-forward technologies such as UUCP, BITNET, and various homegrown protocols for the smaller sites. If you could do store and forward you could probably carry newsgroups.

Today, everyone has interactive Internet access. That's why no one is scrambling to "fix" UseNet. Today's users Google for what interests them, and they eventually find themselves on a relevant message board. That message board is probably not replicated to thousands of other servers across the globe, because the whole world can already reach it directly.

The only nuisance is that you have to create accounts on all these systems. Hopefully, technologies such as OpenID will fix that.

(And yeah, there are plenty of smaller message boards that thrive specifically because they are smaller scale than UseNet. I've been a BBS sysop for 20 years, and our community is thriving because everyone has the opportunity to know everyone else without having to deal with a 1% signal to noise ratio. It also helps that we offer both text and web based user interfaces to the same message boards, so we can be equally as welcoming to newbies and old-skool green screeners.)

Actually no.

You do tell them you are "JimBob". More than one person may rely on "random URL" for their ID, similar to "JimBob" of Yahoo.com

You are not asserting that you have control over anything, if you do it properly then you should have control over "random URL" to the point where you can change who is providing the authentication, but it is not necessary for the schematic. Otherwise Yahoo et. al. would not be providers.

I suggest glancing over the specs for authentication:Version 2 or Version 1 for clarity.

Actually no.

You do tell them you are "JimBob". More than one person may rely on "random URL" for their ID, similar to "JimBob" of Yahoo.com

You are not asserting that you have control over anything, if you do it properly then you should have control over "random URL" to the point where you can change who is providing the authentication, but it is not necessary for the schematic. Otherwise Yahoo et. al. would not be providers.

I suggest glancing over the specs for authentication:Version 2 or Version 1 for clarity.

GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.

You do NOT give OpenID all your passwords and logins.

It's not turning all those accounts over to a third-party and them giving you a single login and password.

It's using ONE account at MANY other sites in a limited form.

Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.

This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.

THAT'S IT.

I RFTS. I RTFA. I even went to the OpenID website to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.

OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.

I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)

When I read this story, I decide to get my Thinkpad fingerprint working.

So ThinkFinger stores 3 copies of what my finger looks like on my local PC. That makes sense for auth on a local machine. How does this work on an enterprise scale? Is the fingerprint details sent to a remote central storage system which then confirms a match?

If that assumption is correct, how would OpenID-enabled websites work with that? Would your account somehow point to your OpenID "provider" which would have your fingerprint to confirm authentication against? Would the fingerprint go just from the PC you are at to the OpenID provider, which will say, "Yes, it's good" or go via the website first?

With such a single sign-on system, if it did go to the website first, wouldn't there be a danger of some "bad" (or compromised) website storing my fingerprint? I know I don't have my head around how this all works just yet - any good explanation of the technical details? The overview doesn't help much there.

According to the OpenID site it uses a URI, which includes "mailto:" URIs.

For AOL IDs, its "openid.aol.com/screenname".

After reviewing the OpenID RFC I was a little dissapointed to see that messages are signed with SHA1, or SHA256 (if supported.)

To me, this suggests that the majority of OpenID supported sites/providers use SHA1, of which rainbow tables have been available for some time. I think with this in mind, man in the middle becomes a legitamate attack vector, so if I can man in the middle you to determine your MAC, then I can impersonate you on any OpenID supported site?

Yea where can I sign up for _this_, and should I use my SSN as my MAC key?