Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Now Supports OpenID

Posted by Zonk on from the making-progress dept.

Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."

37 of 163 comments (clear)

  1. redundant acronym syndrome RAS by evilbessie · · Score: 5, Funny

    I'll have a personal Identification PIN number please, what the hell is an OpenID identifier if not an OpenID ID?

    1. Re:redundant acronym syndrome RAS by Anonymous Coward · · Score: 2, Funny

      I don't see what your problem is with "personal identification PIN number"; I use mine every time I go withdraw money from the automated teller ATM machine.

    2. Re:redundant acronym syndrome RAS by Vexo · · Score: 2, Informative

      Open Identification Identifier, the OpenID ID. It doesn't quite repeat itself.

  2. Re:So?? by MisterCookie · · Score: 3, Insightful

    People who don't want to manage 5000+ usernames.

  3. Cool... by Spyder_Snyper · · Score: 4, Funny

    So the idea is pretty cool... Now that you've got an OpenID, you could go ahead and use that login on whatever else supports OpenID. The problem lies with the fact that 50% of AOL's userbase doesn't even own a computer. According to some stats that AOL released some time ago...

    1. Re:Cool... by fyrewulff · · Score: 3, Insightful

      When I worked at the library, a majority of the tweens and teens came in just to check/update their MySpace. they didn't even have a computer at home.

      --
      "We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997
  4. Why would we want OpenID? by Anonymous Coward · · Score: 5, Insightful

    Single sign-on across the internet is a bad idea. As more sites require it, people's web browsing habits will be tracked on an unprecedented scale. Seriously, what benefit does it provide? I certainly don't want to log onto my bank's website automatically. And in general, I don't want to reveal anything about my identity unless there is a very good reason to do so. The whole purpose of OpenID and similar technologies is to make it easier to track people. This is not the way I want the internet to develop.

    1. Re:Why would we want OpenID? by Wesley+Felter · · Score: 2, Informative

      If you sign on to multiple sites with OpenID, they can compare their databases to correlate logins. For example, if you tell one site that your girlfriend's name is Marla and you tell another site that your hobby is making soap, then the sites can combine this information.

    2. Re:Why would we want OpenID? by networkBoy · · Score: 3, Funny
      It's a non-issue.
      From TFS:

      The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology good luck with that one...
      Brings back thoughts of eternal september
      -nB
      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    3. Re:Why would we want OpenID? by EchoD · · Score: 2, Informative
      From what little research I have done, it's possible to host your own OpenID server.

      [...] your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider). [...] From http://openid.net/ Which means the centralized database of your browsing habits would be on your own server. With browser history, this already exists. Sure, OpenID may not be suitable for online banking, but it would sure make things easier when it comes to making one or two posts on a forum you're rarely going to visit.
      --
      If I only had a moose...
    4. Re:Why would we want OpenID? by Anonymous Coward · · Score: 2, Insightful

      I don't consider myself to be a "privacy nut", but I find this ideal highly flawed. It is based on the idea that personal information should either be completely secret or completely public.

      To continue your analogy, I wouldn't necessarily want to publish my girlfriend's name on the soap-making forums I frequent, even if I considered it silly to avoid mentioning it on, say, a friend's personal blog. As the internet is organized today, this is less of a problem because identities are not interlinked by default: unless I sign up under my full name on the soap-making forum, no one will ever know that "SoapFan2143" is the same person as "Joe Random". If things like OpenID become standard, our hypothetical shy soap-maker would either have to be "that guy who probably has something to hide because he didn't want to sign up with a real identity", or go to ridiculous lengths like making up fake names and identities just to maintain some privacy on a hobby forum.

      It's perfectly understandable that people don't want sites to automatically combine various pieces of information about them. Many people who e.g. post in newsgroups already find it highly creepy what random stalkers can find out about them from simple googlings, they don't need an automatic system to stalk them as well.

    5. Re:Why would we want OpenID? by jalefkowit · · Score: 5, Insightful

      Your knee is jerking. You're reacting to the centralized authentication systems like MS Passport that we've seen in the past, which would indeed make it easier to track people. OpenID is fundamentally different in that there is no one centralized identity provider. You can use AOL as your OpenID provider, or another provider, or even set up your own OpenID server on your own hardware and use that if you can't find one you can trust -- hard to think of a scenario that would be more tracking-proof than that. Read more about OpenID, it's not what you think it is.

      --

      Read my blog.

    6. Re: Why would we want OpenID? by Dolda2000 · · Score: 4, Interesting
      The tracking doesn't primarily depend on the authentication server's ability to log whenever you authenticate, but rather that having single sign-on drastically increases your tendency to reuse the same identity on every website you log into. In other words, cross-site tracking be done much more reliably than before.

      Of course, many here on Slashdot could probably set up their own OpenID server that has a unique identifier for each site, but how many do you think {are going to/are able to} do that -- especially among AOL users?

    7. Re:Why would we want OpenID? by Solra+Bizna · · Score: 2, Informative

      Because two different people couldn't possibly use the same username at different locations, of course.

      -:sigma.SB

      --
      WARN
      THERE IS ANOTHER SYSTEM
    8. Re:Why would we want OpenID? by Wesley+Felter · · Score: 2, Insightful

      What's to stop them doing this with your email address right now?

      Nothing, that's why OpenID is really no better or worse than the status quo when it comes to privacy.

  5. Re:So?? by memojuez · · Score: 3, Insightful

    It's a last ditch effort by AOL to stay relevant to the rest of the InterWebs.

    --
    Signature applied for, Patent Pending
  6. The problem with single sign-on... by Phleg · · Score: 4, Insightful

    One major problem I see with this sort of initiative is spoofing of your provider's sign-in page. Unlike spoofing in its current form, if someone was able to get the password for your OpenID provider, he'll have access to every single one of the accounts you've used that ID with. It's putting all your eggs in one basket -- with the way everything is currently handled, your sign-on information to an individual site may be compromised, but you won't lose everything else.

    Is there a solution to this kind of problem, or is OpenID really only targeted to low-risk authentication; i.e., for forums and social networking sites?

    --
    No comment.
    1. Re:The problem with single sign-on... by Anonymous Coward · · Score: 2, Insightful

      spoof? Hell they won't need to spoof anything. AOL user will surf to a pr0n site, pr0n site will say "enter your openid to get 100% full free access!!111" or some such crap. AOL user will WILLINGLY give away their id to see pr0n.

  7. It's phishing time! by smack.addict · · Score: 4, Insightful

    OpenID is the phisher's dream. I honestly don't get what would motivate someone to implement this specification.

    1. Re:It's phishing time! by Broadcatch · · Score: 3, Informative
      multiple answers, but here are two:
      1. use OpenID to verify those you know (or their membership in a community you trust) - don't use it for "verification" of a service you know nothing about
      2. Microsoft's CardSpace (InfoCard) protocol can provide a simple mechanism to support this verification
      Once the trust is created, then you can use the XRI capabilities of OpenID 2.0 to provide sophisticated profile data sharing and/or service access authorization. But you are correct: if you're the kind of person who sends money to spammers, OpenID alone will not help you.
      --

      The antidote for misuse of freedom of speech is more freedom of speech.
      -- Molly Ivins

    2. Re: It's phishing time! by Dolda2000 · · Score: 2, Interesting

      I'm not sure exactly what you're referring to, but I would argue it is the other way around. If you use OpenID to sign in to a spoofed site, you're safe, because they can't use that info to sign in to the real site themselves. If they're spoofing your OpenID server, then, to be honest, people would be fooled just as much or little as they would be without OpenID. On top of that, OpenID allows you to do neat things like SSL client certificate or Kerberos authentication or anything else that cannot be used by phishers any way. I would also think that some ISPs (like AOL) could use that to make client certificate authentication automatic for their users. That way, it may actually put an effective stop to phishing.

  8. Re:Or: how is this different from Passport by jZnat · · Score: 5, Informative

    Well, anyone can run their own OpenID server to authenticate against, but to use Passport, you rely upon Microsoft's passport.net servers no matter which email address you associate with it.

    --
    'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
  9. Re:Or: how is this different from Passport by complete+loony · · Score: 2, Informative

    But it doesn't have to run on some big evil corps servers. It's open in the sense that you can run your own server and track all of your own web surfing habits.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  10. Re:Christ. We're all doomed by pelrun · · Score: 4, Informative

    AOL's openID's are all in AOL's namespace; DirtyTurtle278346812376.aol.com isn't going to prevent you having DirtyTurtle278346812376.myopenidserver.org.

  11. Re:This is a huge blow to privacy on the net... by TheRaven64 · · Score: 3, Insightful

    Think what it could be like when sites only accept OpenID authentication coming from certain sources like the provider your IP is originating from? Then people won't go to those sites, because they won't be able to access them from public terminals, their friends house, or use the same account from home as they use with their mobile phone.

    The idea sucks and I didn't even get started on how it allows the operator of an OpenID authentication service to track which sites you go to. The operator of the OpenID authentication service is you, or whoever you delegate the responsibility to. If you choose to ask a random person to look after your keys, don't be surprised if your house gets burgled.
    --
    I am TheRaven on Soylent News
  12. Not just AOL users -- AIM users too by jalefkowit · · Score: 3, Interesting

    The story is even bigger than the summary makes it out to be. It's not just AOL users who have an OpenID -- anyone who uses AOL Instant Messenger is included, too, as is anyone who uses AOL's "Journals" blogging platform. Both these services are free, and AIM especially is used by a far wider and more technical group of users than the term "AOL users" would suggest. (You /.ers who use AIM via Gaim, for example? You've got OpenIDs now.)

    --

    Read my blog.

  13. Uh oh by Conspiracy_Of_Doves · · Score: 4, Funny

    The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology.

    I think I see the flaw in your plan.

    --

    Technoli
  14. RAS syndrome and U.S. trademark law by tepples · · Score: 4, Informative

    The joke is often repeated. But U.S. trademark law may help explain RAS syndrome. Trademarks are adjectives and should be used with a generic term, even if they contain an abbreviation of the generic term. Hence "TCBY yogurt" even though "TCBY" is "the country's best yogurt", "DC comics" even though "DC" was "detective comics", "SAT reasoning test" even though "SAT" was "scholastic aptitude test", and "SPAM luncheon meat" even though "SPAM" stood for "specially processed assorted meat" at one time. Writers pressured by trademark owners to include the generic terms in their copy tend to overextend the habit of abbreviation + generic even to cases where the abbreviation is not a trademark.

    Another cause is to disambiguate homophonic or homographic acronyms. "Put your PIN in the computer" could be misheard as "put your pin (or pen) in the computer", which could damage the machine. "Put your PIN number in the computer" has one interpretation.

    1. Re:RAS syndrome and U.S. trademark law by molotov303 · · Score: 3, Informative

      I'm pretty sure SPAM is SPiced hAM, not specially processed assorted meat.

      http://en.wikipedia.org/wiki/Spam_(food)

    2. Re:RAS syndrome and U.S. trademark law by iabervon · · Score: 2, Insightful

      These sorts of abbreviations are often idiomatic and literally incoherent. For example, "PIN" stands for "Personal Identification Number", but it doesn't actually identify you; the account number identifies you, and the PIN authenticates you (if you were to type your PIN into a terminal without putting in a card, it would have no idea who you were). So, if people have to ignore part of the expansion to understand the term, it makes sense that they'd ignore the whole expansion, and then want a simple noun to say what they're talking about. And, of course, the last word of the expansion is a noun that sticks in people's heads as being related.

      Also, in the case of TCBY, "TCBY" is actually a company, not yogurt. For that matter, using the abbreviation as if it were the expansion would be very strange; you'd have to say "I bought some of TCBY", because "I bought some the country's best yogurt" is clearly ungrammatical. If you're ignoring the fact that it starts with "the", you have to ignore the fact that it ends with "yogurt", too, and treat the term as unanalyzable.

    3. Re:RAS syndrome and U.S. trademark law by dlthomas · · Score: 2, Insightful

      "I bought some of TCBY" makes sense, you're just talking about stocks...

  15. Re:OpenID vs OpenPrivacy? by Broadcatch · · Score: 4, Insightful

    "OpenID is a simple single sign-on mechanism advanced by Brad Fitzpatrick of LiveJournal. In OpenID, your identity is a URL." - http://en.wikipedia.org/wiki/OpenID

    Basically, OpenID provides for distributed authentication.

    IMO, what makes OpenID interesting is that in the 2.0 protocol, XRI (i-names) have been included, which opens the door to enabling selective, authenticated authorization of access to services, be it as simple as the ability to contact me (I would allow any parent of a child in my kid's pre-school class to phone me) or as complicated (eventually) as any contract you can imagine.

    OpenPrivacy, on the other hand, assumes such services as a starting point, which is why I suspended development of OpenPrivacy in 2002 and began working on XRI/i-names. OpenPrivacy will use sophisticated techniques such as zero-knowledge proofs to enable distributed reputation providers and truly pseudonymous identities that cannot be traced to their owner (unless such verification is mutually requested), but it requires strong, secure identity as a starting point.

    I look forward to creating grassroots i-names-enabled communities soon (starting in March, if all goes well) and eventually getting back to my OpenPrivacy roots - which is where (IMO) things start getting really interesting.

    --

    The antidote for misuse of freedom of speech is more freedom of speech.
    -- Molly Ivins

  16. Re:Lovely knees you have ... if anything. by Randle_Revar · · Score: 2, Insightful

    If you don't want to be tracked, don't use OpenID.

    If I go to a blog and enter a comment with the name Kelly Clowers and give my website as www.clowersnet.net/~krc/, how do you know that I am really the Kelly Clowers who owns that website? This example is one of the original use cases for OpenID.

    Now anyone can google Kelly Clowers and if an OpenID post turns up in the results, you can be fairly sure it was really the owner of www.clowersnet.net/~krc/ (which is presumably me, since that website specifically mentions this account (which is a solution that can work for main accounts, but I don't really want to list every one-off comment I ever made on random blogs)). Of course, a page could be hijacked, but the point is that imitating someone is not as trivial as entering someone else's name and website.

    Not being tracked when you don't want to be tracked could be an issue if websites started accepting *only* OpenID, but I haven't seen anyone do that yet, and I doubt many will ever do that. And I don't think OpenID is really intended for online banking and shopping and the like. Also, if you don't want to be tracked, you could set up a second OpenID account that does not link to your primary account or to your real name.

    --
    Climate Progress - Hell and High Water
  17. Re:Or: how is this different from Passport by maxume · · Score: 3, Informative

    No one is pushing it as a trust mechanism. It is being pushed as a unique identifier. The idea is that if you start up a zippy website where there are some additional features if I create an account, you can let me use an OpenID to identify myself, rather than having me create a user/pass just for your site. I provide a url, and your server does some stuff to find out if I own that url, and if I do, it can use that to identify me.

    You don't end up with any more reason to trust me than if I had used a random hotmail email address, but I avoid creating another damn sign in just to get 'account' features on your service.

    --
    Nerd rage is the funniest rage.
  18. This is the whole point by mrcaseyj · · Score: 4, Informative

    So? If someone tells you their openid (or you setup a spoof website to get it) then you have access to their entire life too, if this becomes popular.


    It seems OpenID prevents this problem. With OpenID the only thing you give to the websites you login to is your URL (such as https://aol.com/cooldude ). You can even give your URL to your enemies. You never give your OpenID password to any site except AOL, or if you run your own OpenID server, you never give your password to anyone at all. If I understand it right the whole encrypted procedure goes something like this:


    You're trying to login to example.com


    Example.com says: Who are you?
    You say: I'm "https://aol.com/cooldude"
    Example.com asks AOL: Is this guy really cooldude?
    AOL sends a message to you asking: Example.com says you're trying to log on, is it really you?
    You say to AOL: Yea it's me, here's my password to prove it.(AOL doesn't tell example.com your password. Also you save the hassle of entering your password for any site if you already logged in to AOL, like at the beginning of each day.)
    AOL says to Example.com: Yes we verified it's cooldude.
    Example.com says to you: Hi cooldude from aol.com, we've verified it's you again. Welcome.


    Note that if you log into AOL at the beginning of the day, then for you this whole procedure boils down to you just entering your URL to login and then pressing a button from AOL to authorize the login.


    Some advantages and disadvantages are:


    You can use one username and password for every site and you only have to enter your password once a day.


    If you used the same username and password at a lot of sites before, then with OpenID you don't have to worry about your password being compromised on one site by lax security or a crooked site owner(like a phisher) and then having your accounts compromised at all the other sites.


    I'm not sure about the privacy issues. If your OpenID provider allows it(or if you set up your own server) you could set up an unlimited number of ID's (eg cooldude2, cooldude3, etc.) I don't see how you would be giving up any more privacy than any other system. And if your provider allows it you could save a lot of trouble and use the same password for all your IDs. Your OpenID provider could track which sites you log into, but you could just be your own provider or choose one you trust not to track you. Of course the sites you log into could require only certain OpenID providers like AOL, Microsoft, Verisign, etc. You might not be able to use your own server. Sites might only accept OpenIDs from providers that use strong identification, like Paypal's requirement that you control a checking account to be confirmed, because banks in the US are required by law to get ID before opening a checking account(says Paypal).

    If sites only recognize OpenIDs from certain providers, at least the list of providers would likely be more inclusive than something like Microsoft Passport which has only one provider.

    OpenID providers might differentiate themselves on their security. Verisign for example may try to claim that their OpenID service (if they had it) is secure enough to use for bank logins.

    1. Re:This is the whole point by burner · · Score: 2, Insightful

      You get that the whole point is to have a "single sign on," right? And that the problem with Passport is that there is only one possible provider (Microsoft)? OpenID lets anyone be the identity provider. If you want your email to be your signon, just ask your email provider to support openID. It's can only be good news if large sites with lots of users become openID identity providers rather than each company developing their own identity system.

      --
      MRSH-Recording device, corned beef sandwich with kraut, seafaring bird, and the foamy top of a beverage.
  19. Not cool by linuxmop · · Score: 3, Interesting

    Actually, the problem is that the OpenID specification is very poorly written and is extremely complicated. It's as though a couple of kids wanted to put together an RFC but didn't really understand how to express a specification is a logical form. If you don't believe me, just take a look; you'll see what I mean just by glancing through it: http://openid.net/specs/openid-authentication-1_1. txt

    Anyway, then, as kids are wont to do, they have followed it up with a series of new specifications, each one more complicated than the last. There are five specifications in draft form right now, each to cover some different aspect of what should be a fairly simple protocol. They reference and make use of HTTP, HTML, XHTML, XML, XRIs, XRDS, S/MIME, XSLT, and some other, similar ID specification called Yadis. Implementing all this thing requires gobs of software libraries (each with security holes and bugs) and expertise (and who has time to learn the latest X??? spec?). And we're supposed to believe that it's possible to do this securely? We can barely make secure web servers, much less SSI systems which require almost 100 pages of specifications, plus thousands of pages of supporting specifications!

    What's sad is that the authors are not just a couple of kids that discovered XML and had a field day. The authors are associated with companies. The primary author works for VeriSign. Presumably, he should know better than to make such a jumbled mess.

    But I think we all know what's really going on here. These idiots put together an incomprehensible specification. It is poorly defined, ambigious, and relies on lots of supporting technologies. It is impossible to implement securely, completely, and correctly. Security holes and interoperability issues will be the only real standard. And guess whose jobs are secure? Guess who gets lots of contracting jobs? Guess who is needed to write new specifications so that they can get it Right the next time?

    It's too late to turn this one around. Hopefully OpenID will die a horrible death and we'll never hear of it again. But please, please, if anyone else reading this feels compelled to write a specification in the future, learn from OpenID's mistakes and keep it simple, stupid. Because OpenID is setting itself up for disaster.