Slashdot Mirror
MySpace Joins OpenID Coalition
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
"Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere" Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ. How many other sites are going to require that you create a new OpenID for their site?
"now if only Microsoft would support it"
I think it would be more likely that they would decide IE should actually follow internet standards before they hopped onto this.
Until you actually let someone authenticate to your site using OpenID, you're not really helping anything. You're just spreading BS about how open you are when you're really just supporting further centralization around yourself. Until the big names start acting as Relying Parties, I don't wanna hear about it.
Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use
No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.
Jesus fucking Christ, is proof-reading really that hard?
Spelling mistakes, grammatical errors, and stupid comments are intentional.
A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.
Colin Dean Go a year without DRM
"Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use"
The article doesn't mention Facebook. Is the poster sneaking in a snide remark about the similarities between the two sites?
There's no -1 for "I don't get it."
losing just one password or openid databases getting hacked will mean loss of all services related to it, even if they have other login systems.
Read radical news here
So now the big question for me. Can you create this single sign on account as an anonymous account? It would make things nice, but, I'd still not want to be identified in meatspace with this id....kind of like most accounts I have on the internet.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I really wanted my Hotmail account to be compromised when my Google/Myspace/Facebook/Amazon/Ebay/Paypal accounts are all compromised by the single sign on. Now they will have to get my OpenID AND my Passport logons.
Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.
With any luck some banks and credit cards will adopt this. So now you can have everything stolen from you with a single username/password combination that was probably lifted from you through a fake website or one of the dozens of account stealing malware bits that you installed to get "OMG Ponies Wallpaper & Pointers!". For bonus points, being able to pull a drive by install of malware to steal this account from a MySpace banner and then using that to steal all of their money, email addresses, and social webpages would be great. Bonus points if you manage to auction off all of their personal possesions through their ebay account and then keep the money through their paypal account.
The only change I can believe in is what I find in my couch cushions.
I guess Microsoft's failure with Passport isn't going to deter MySpace from building a system that no one is going to use either.
Who cares about a unified username/password "experience". A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?
I thought they would learn from that experience when you could have a set of car keys from a Ford in the UK (in the 1970's IIRC), and it would open all the other Ford cars. At least that's how my parents car was stolen. Now do the equivalent with an online profile.. madness.
Take Nobody's Word For It.
Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.
Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.
The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.
Most people seem to user the same user+pass everywhere anyway, and if you had one password compromised on a keylogger or public terminal you probably had them ALL compromised.
So maybe it's still an improvement, but it should be considered as a very serious concern.
It does not need for any site to be compromised. Once it is technically possible to track, it will be done, either because the site wants or because some big lobby (RIAA, MPAA or any other) imposes it. So I also refuse to share my IDs between sites. I always use specific per site email address, and I do not want to loose this.
Great...have one ID for everything, then they'll just have to steal it once.
Although, most idiots today use the same username and password for everything anyway.
I can see this now, people rushing to register OpenID unique usernames. Currently, with these 100million accounts, the same username could be used by 4 different people across 4 different sites. Now we'll have people squatting to reserve usernames which are unique across all four sites.
We'll end up with the same problem we have now with domainnames, grandma will have to register with grandma_alkjs because grandma_mimi will cost her $100 to get from a squatter.
...even if your data doesn't get stolen, doesn't get lost, and doesn't get compromised in any other way, this is a BadIdea(tm) from a privacy point of view.
Why? Because if you care about your privacy on-line, one single clue about who you are will give away who you are *everywhere* [on the websites using OpenID authentication]. Have your real name of Facebook? Everyone on the net will be able to find *your* MySpace, AOL, Yahoo, BlogThis and IMThat... account.
Even if you don't have your real name anywhere: you're still leaving a waaaay longer trail on the 'net than you're doing with a purpose-limited account. Anyone with a clue (and a sane cookie system, like Google) will sooner or later relate pretty much everything you do on the 'net to exactly *your* person. If you're really careful, then you *might* be able to keep those two words making up your name out of the game. But that's about the *only* thing that's not going to be known about your person...
Either that, or you'll keep creating 2, 3, or even more OpenID accounts -- one for each level of "privacy" you wish to enjoy. But then again, the need of having several OpenID accounts kinda kills the point of centralizing account management...
Privacy is not a matter of the information itself, it's a matter of how information is linked together (and/or to your person :-)
What we need is the opposite of this scheme.
We need to store our passwords on our own local trusted machine. Like on our personal mobile phone with tested HW encryption, which requires multifactor ID: thumbprint, voice recog, keyed PIN, retina scan. In fact, that device shouldn't store some simple password data, but rather a onetime password generator that generates unique secure password sequences for each challenging site. Maybe the phone should send the password via IR/Bluetooth or a phonecall, but secure itself against attacks over that connection, or just report the momentary password on the screen for its human to read and enter into the challenge.
It's insane that I give my bank PIN to some arbitrary sketchy ATM in some latenight deli when I'm already drunk, need another 6-pack, and won't even remember where (or who) I was when I find out months later that my PIN was used by someone (of the dozen sketchy ATMs I used that year) to rob my account. I want onetime passwords right now, that my phone can remember, attached to the specific counterparties, money quantities and transaction description. So later I've got my own complete, authoritave record.
Not go the other way and give my PIN to every fly by night website, just because they "trust each other" with nothing of their own at stake.
--
make install -not war
All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.
With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.
> Is having 1 global ID really wise?
Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.
I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.
For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.
Web users today are much more phishing-savvy and rely on password safe applications to manage their accounts. This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.
Whenever OpenId comes up there's always a million comments about handing over passwords and that all it takes is one site you're registered with to be compromised for your identity to be lost. This is not the case as OpenId does not share your actual login information with the third party at all. All the authentication happens at your provider. I fail to see how people consistently overlook this vital piece of information. If you're provider is compromised on the other hand... you're pretty much in the same place as somebody compromising your mailbox. And there's a worrying trend of people just handing that information out anyway.
Pot, Kettle, etc. When will slashdot support it? There are plenty of OpenID libraries, so CmdrTaco won't have to stop editing to work on it full time.
Do you even lift?
These aren't the 'roids you're looking for.
single point of failure!!
I'm glad I got rid of MySpace about a year and a half ago. I never really do anything with my blogger account, and i'll probably buy my own domain again to get away from gmail.
To paraphrase Ian Malcolm, what they call progress, I call the rape of the digital world.
Ok. So don't use it. The fact is that many (most?) of us have one or two email accounts that we use for registration purposes. If our email was cracked then all of those registrations are toast. From what I've read, OpenID provides a way to replace this hack (email is not meant for personal identification... it's meant for communicating text efficiently) with a registration system that is as secure as the provider you choose to sign up with. There are providers that give you the same lack of security as email, there are providers that use certificates and fancy-schmancy secure communication, and there are providers that use hardware to verify who you are - you pick the level of security you want when you pick a provider.
And of course, if you really do want a seperate identity for each and every site for which you register, you're free to register multiple OpenID identities.
Basically, OpenID replaces an email address as a central identity. It provides all of the "ease" of using email addresses, but also provides a wealth of possible security improvements and, of course, single sign-on capabilities.
Maybe you should try reading the spec then, since that's exactly what it's designed to do.
The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider's site, where:
1) If you don't already have a session open, you login, and then go to 2.
2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from "nothing at all" to "everything", or a combination of them).
This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.
If you're feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you'll know as soon as they try to use it, and can disable or change them.
I don't see how this will work on myspace with only ten characters for a password.
This whole openID thing sounds like centralization of passwords and private information, and behind the scenes the linking of user X, Y, Z from site A, B, C.
Roll the damn thing out if you must, but make it clear somewhere EARLY that it's linked to other accounts. It might be better to not register.
But then you all know I had to comment on this with a cool handle like myspace-cn before the Chinese firewall comes after me to put me to death for all my hard core death/black metal myspace accounts.
You either need to look up the definiation of monoculture or actually educate yourself on the underpinnings of OpenID. You obviously misunderstand one or the other.
Monoculture means everyone depends on the exact same thing. OpenID is not only the exact opposite, providing control over how you are authenticated to you, but it provides an almost immediate method of mitigating an attack. Someone take over your authentication server? Use a different one.
And if only ONE of those websites is compromised, my login is now compromised across the board,
Take the trouble to read up on OpenID, and you'll find this is not the case. Having one site which you log in to compromised will not compromise the others. The only way you'd lose control of your openid identity is if your openID provider was compromised.
You can also select how much information you disclose to different sites, revoke permissions to certain sites, and choose more secure login methods like certificates.
So don't. Part of OpenID is that you can see exactly what information the relying site wants, and decide whether or not to give it to the site. Some providers also let you create and use multiple profiles to choose from too, so you can choose exactly what address or whatever they see (if any). There's no loss of control for the user here.
No, that's not how it works. The sites you log into aren't involved with your authentication process, so they can't give up your credentials no matter how badly they get owned. They could give up whatever personal information you chose to let your provider give them, but that's no different than the way it is now.
My company recently made attempted to implement an OpenID login option for our website. We quickly abandoned the idea because it was simply a horrible user experience. For those of you who are unaware of how openid works here are the steps to sign in with openid: 1) First you have to enter a URL which is your openid login. For example, if yahoo is your openid provider, you would enter http://openid.yahoo.com/cortesoft. Right off the bat, you already have to enter a ridiculously long user id. 2) Once you enter the URL, that is passed on to the openid provider. Using the yahoo example, you then have to sign in to yahoo if you aren't already signed in on this computer to prove you are the owner of that openid URL. 3) You are then asked to check a box giving the requesting site permission to use this openid. In yahoo's case it also requires entering a CAPTCHA. This is to ensure that the requesting site isn't merely nefariously requesting an OpenID without the user's permission. 4) Yahoo authenticates to the requesting site that you are logged in, and you are finally signed on. Of course, it is slightly easier on subsequent visits. The authorization process is shorter, but you still have to sign in to your openID provider and enter a URL. Just look at how simple the alternative is: A user simply enters a username and password and BAM they have a new account. They can even choose the same one as they used on other sites if they want the same username and login across multiple sites. Users bounce at any sign of difficulty in the signup process. OpenID is a huge barrier to entry, so we scrapped the id of using it.
The thing is, most people don't have different usernames and passwords for each site. A ton of people use the same password for MySpace, Gmail, Amazon, work, school, their bank, etc. At least with OpenID most of these sites would not get to see your password.
It could be a single point of failure, but maybe that's not a bad thing when talking about protecting secrets like passwords?
GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.
You do NOT give OpenID all your passwords and logins.
It's not turning all those accounts over to a third-party and them giving you a single login and password.
It's using ONE account at MANY other sites in a limited form.
Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.
This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.
THAT'S IT.
I RFTS. I RTFA. I even went to the OpenID website to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.
Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.
I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)
How about using a tiered OpenID system Where you can have multiple levels of accounts?
Right now I use one set of username/pwds for my banking and sensitive accounts. I'm very careful about what machines I use this info on and who I give it to. A second username/pwd pair for stuff like ./, gmail, last.fm etc... which I use for sites that I frequent and would rather not have someone else access using my name. Finally a third for smaller forums and stuff that I could really care less about.
I would like to be able to tie them together in a way that let me use a higher-tier account to reset the pwd of the lower tier accounts but not vice-versa or across a tier.
It's still an "all your eggs in one basket" approach, but it's a slightly more secure basket.
"drink deeply the illusion of your safety"
For a Web world, compartmentalisation of sign-on is vital.
Only up to a point.
I have 128 logins that I keep. I know that because don't remember any of them, I have a file full of them. When I use Yet Another Website, I'm really tired of making Yet Another Login.
If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.
If you think that using openId from Site A to log into site B gives site B ways to continue having dealing with you against your wishes, then can you outline how that can happen? How many internbet users have "e-mail aliases" to throw away.
This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.
I've seen a fair amount of OpenId around recently. You can sue it on Blogger and LiveJournal. If it's a "last gasp" for a declining technology, how do you back that statement up?
My Karma: ran over your Dogma
StrawberryFrog
Ok geniuses, what the heck are you gonna do when you start putting the Username/Password databases together and a million identical names belonging to different people collide? I think they'll need to create a separate database for OpenID that doesn't touch the databases that already exist.
McCain/Palin '08. Now THAT's hope and change!
With all the talk of running one's own OpenID provider, why not run it on your own machine behind a DynDNS or similar provider and use PAM to authenticate against /etc/shadow?
ROMANES EUNT DOMUS
Why can't we have a system based on our own public keys ? You could upload your public key to whatever site you wanted, without needing to transmit a password at all, ever.
Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.
Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
Microsoft shipped support for OpenID 2.0 last year. Google search: http://www.google.com/search?q=microsoft+openid&rls=com.microsoft:*&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
/LabMonkey09
Now I only have one username and password to hack and your world is mine
thank God the internet isn't a human right.
If they broken Kerberos so badly, why the hell can I right my KRB5 install on Centos to point to my AD realm and have it work without any arcane settings or magic?
MS did not break Kerberos. Period. Ever. Now go away and blow your iBook.
Trying to become famous by taking photos. Visit my homepage please.
Beware, gullible sheep, Big Brother wants to track all your web activities using a single "Open" ID, starting with personal data-mining sites like MySpace and Facebook. Isn't there enough tracking from ISPs, search engines, and large websites already?
This tracking is great for big brother, but sucks for the little man, who would prefer the anonymity of dynamic IP address, and multiple, fake online personas. This OpenID idea is stupid in concept, unless there is a malicious intent to spy on everyone.
> I've seen a fair amount of OpenId around recently. You can sue it on Blogger and LiveJournal. If it's a "last gasp" for a declining technology, how do you back that statement up?
I looked-over the list on openiddirectory.com; 634 participating sites. That's greater than zero, admittedly. Just about.
The story of SSO in e-commerce is brief and inglorious. ebay dropped Passport support in January 2005; Amazon never got onboard; Google established its own intra-domain federation; Yahoo announced OpenID support, then fell silent. Those are the sites that people use.
SSO has flopped on the web, thankfully.
OpenID lets you do that, though I haven't heard of a provider implementation that actually does that, yet. Shifting to OpenID is what is going to let you get what you want, because it centralizes the authentication and you can control that central point and lock it down as hard as you want.
"Believe me!" -- Donald Trump
The same thing that happens when you forget your PasswordSafe password.
It isn't some golden magic fairy dust, but there are some nice applications, like for instance, if Slashdot became a provider, you would be able to push your CastTroy reputation to some other discussion site that was interested in accepting it...the risk is low and it is actually something that would be nice to be able to do (but maybe not something that would happen, Slashdot isn't automatically going to be interested in pushing discussion to other sites...).
It would be a disaster if important services began accepting only OpenID though.
Nerd rage is the funniest rage.
Passport flopped because no one wanted Microsoft to have data on every single point of your life. That was what passport was: Everyone had to authenticate with Microsoft, Mircosoft stored all information, Microsoft choose who got what information.
OpenID is fully decentralized, *you* choose whom to give what information, every site uses its own passwords and as above story shows, that it's far from dead.
I know you!
You're that Anonymous dude that I always see posting on 4chan!
Today's lucky number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Arrgh, that should read: only your OpenID provider has your password and it's never shared with anyone.
Sorry about that complete fuckup
This sounds like an absolutely terrible idea. How many times have we told users that it's best not to use the same password for every account? OpenID sounds like an enabler of stupidity and a huge security risk.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
OpenID is not using the same password for every account. It's having just one account instead of many, and thus only one password to remember (which can then be a better password since you have to remember fewer).
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
The relying party (the asking site) contacts your open id provider directly. So yes, if this is done over HTTP rather than HTTPS, you could use a DNS attack to break it.
Behind the scenes, the relying party and OpenID provider establish a shared key using Diffie-Hellman. After the user authenticates with the provider, he comes back to the relying party with a message that says that he has authenticated. Key parts of the messages are digitally signed with the shared key, and the relying party has to verify the signature.
The Diffie-Hellman part is optional, but most providers use it. If the relying party fails to establish a key with the provider, then when the user comes back with the "I'm authenticated" message, the relying party sends that message to the provider and asks the provider to verify that it's true.
If I have an email or blog, can I move to OpenID login and keep my username, or do I have to make a whole new identity?
Really?
Oh, so one site being compromised WILL result in all of your accounts being compromised after all. Please get your story straight. This is a terrible idea and is just trading security for convenience.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
According to this article, Microsoft claims 400 Million Passport/Windows Live users worldwide. How is it that OpenID is becoming the defacto standard again?
One thing that really needs to happen is for forums to accept OpenID. Given that there a small number of software packages seem to run the majority of forums out there, it seems like this sort of change could happen quickly... but to my knowledge, hasn't so far.
I thought everyone stopped using Myspace when Rupert Murdoch took it over. Myspace belongs in a category with Compuserve, Prodigy, America Online, Friendster, gopher, Netscape, Alta Vista, Napster, and other relics of Internet past.
It's just a little different from that. Let's look at a couple of scenarios.
Scenario 1: You have accounts all over the place. You use different passwords for each of them. You have multi-factor authentication for several of them.
This is pretty secure, but of course, you have to remember your passwords. You may have to carry around several dongles. If a site is hacked and the password on it is recoverable, only that site is hacked. This scenario, however, is unrealistic for the masses.
Scenario 2: You have accounts all over the place. They all have the same password. You probably don't have multi-factor authentication on any of them, but who knows--maybe your WoW account really is that important to you.
This is horrible security. If a site is hacked, the attacker now has access to your entire web presence. You'll be forced to change your password in dozens of places, and you're almost certain to forget a few.
Scenario 3: You have a single sign-on provider (like OpenID). You have accounts all over the place, but only a single password, stored on a single server. If that server is hacked, the attacker has access to all of your accounts for the time period that it takes you to realize the issue and change your authenticator to a new host. You don't have to remember a password for each site you visit. The individual sites never have access to your password. You may use multi-factor authentication on your OpenID site to reduce the liklihood that a hack will give carte blanche access to all of your accounts, and you don't have to carry around a dozen dongles to provide "something you have."
Do you see how Scenario 3 is a compromise between the two? Do you realize that Scenario 2 is how most people use the web? Scenario 3 is better security than what most people use, while maintaining the convenience. If you don't like the idea of using OpenID, you aren't forced to. You can create a new OpenID for every website you wish to use. OpenID allows for better security in a realistic world (where people reuse passwords) when, currently, the only other option is password-management Hell.
Read up a bit on cryptography, specifically cryptographic hash functions and digital signatures.
Those are (related) methods by which the client can assert that it knows the user's password without actually telling the password to the server (HTTP digest access authentication or similar methods involving hashing the password with a challenge string) and therefore not letting the password slip to someone in the middle. Of course, for a really secure transaction with your bank or similar, the connection will already be over HTTPS, so that is not much of a worry.
On the other hand, the same math allows for security tokens, which lets a system remotely verify that you physically have a token, allowing something-you-have security. Another way to handle such security might be to, say, have your ATM card have a secret key on it that it uses to authenticate itself. Then an ATM transaction requires the ATM card and your PIN, so a sketchy ATM stealing your PIN would not matter as much.
You will notice that last suggestion involved having a computer in your ATM card, which, although not all that expensive, is certainly more expensive than a magnetic strip. Basically, such extreme security measures are expensive and not in demand because most people have no idea how insecure their transactions are and quite simply identity theft is not high on most people's radar, so the fixes do not get implemented. As identity theft becomes more common and they security becomes less expensive, I suspect the demand will grow.
Centralization breaks the internet.
People always complain about internet hackers and cyberstalking, and cyberbullying, but Myspace was invented to assist the stalkers, bullies and hackers.
OpenID makes life even easier for hackers by centalizing the sensitive information even further. Now when you want to find your blackmail material, you can just search one ID and find all of it.
I suspect that you're just being an ass and intentionally missing the point.
With OpenID, you have a provider and multiple consumers. If any of the consumers get hacked, your account on the other consumers will not, by association, be hacked. If your provider is hacked, all of the consumers will be compromised until you can switch your provider. So the original poster's assertion:
There are some websites/services I just plain old don't trust with some or all elements of my real information. And if only ONE of those websites is compromised, my login is now compromised across the board
is either disingenuous or the result of a misunderstanding. If you don't trust a website, don't make them your provider. But they can safely consume your OpenID without fear of impersonation on other sites. The poster obviously thought that the password would be shared amongst the sites. Either that, or s/he set up a strawman.
Reading for context is a good idea.
If you control your own OpenID provider and have control over the information that is sent, I'm guessing you could also set it up to sent information on various aliases that you have set up, right? If I understand this right, the only thing the other site can verify is that you are the same identity that logged in last time, but what your personal information really is, they won't know. But this will also mean that certain sites will never accept your own provider, they want something "secure" which they can trust. This will make it very difficult/useless to run your own provider, won't it? Too bad really.
So become an OpenID provider. Maybe you only server out your own ID--no big deal. Now you're not trusting some random site you're trusting your own site, and you can use whatever authentication scheme you want.
I agree that there is definitely a lack of security conscious behavior on the internet, however I think there are some circumstances that mitigate the problems seen in scenario 2.
For sites that use your email address as your login, I hope that someone signing up for that service would not use their email password, In fact many people I know, who use ISP provided accounts, only knew their password when they set up Outlook Express. Gmail and its ilk are obviously a different story.
Scenario 2 assumes that people are able to get the same user id on every site they use. My experience is that this is not the case. Especially as the internet becomes utilized by a greater population simple or consistent id's are not available for long after a site comes into existence. So unless an attacker has been reading the autofill information in a victims browser preferences, he is probably not going to be able to access more than one or two sites.
I am not saying this is indicative of the mentality of internet users in general, but recently I was helping my mother with something that required a password and she was very conscious of the security of her password regardless of the fact that she is almost completely lost when it comes to most things computer related. Now admittedly I got the impression that she thinks her passwords are stored in a Caesar Cipher out in the open, but that does tell me security issues are filtering down to the masses.
You are correct in that OpenID does create a suitable compromise between Scenarios 1 and 2. However, once OpenID is commonly used there will be a new set of security problems that users are faced with. Even considering the limited success rate of fishing attacks, once a users OpenID is compromised, it becomes trivial to automate attacks on possible accounts across popular sites. Also, we are now relying on the reliability and integrity of a third party OpenID provider. It is easy to say "if you have doubts, move your OpenID", but that solution assumes anything but blind trust, which seems to be the default in many cases. It also assumes that if the OpenID server has been compromised that the user will become aware within a reasonable amount of time in order to minimize that damage done. Admittedly, if the damage is limited to someones blog and myspace account, really, who cares. But if that damage crosses over to financial and government accounts then it becomes a much bigger issue. I can't even imagine the lawsuit shit storm that befall some poor guy who decided to become an OpenID provider in that circumstance.
Ah yes, another universal sign-in ID. They've had those for at least a decade now, and they've been moderately more successful than internet money accounts.
Just the other day I had to sign up for a "universal" "Ning" ID - to sign into the one and only site I've ever heard of it used on. I've never been to an OpenID site.
There is no backpedaling as you're responding to my first post in this thread. I made no such claim as you suggest. Maybe you are confusing me with another poster.
Which is exactly what I was pointing out. Without OpenID, if my MySpace account is compromised, then none of my other accounts are in jeopardy. If my OpenID provider is compromised then the attacker now has access to all of my accounts associated with the OpenID provider.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Valid points.
Fishing and XSS are probably the two biggest potential problems with OpenID. The latter may be addressed in the spec (I'll admit that I've only skimmed it) or in specific implementations. The former is going to be a problem for the foreseeable future, anyway. The new issue will be people who don't realize that not being careful with their Facebook account (and being fished) could cause their financial information to be compromised.
Of course, security-sensitive people will just set up specific logins for their sensitive servers. You're still cutting down on the total number of login/password combinations. Banks can force the issue by choosing not to support OpenID, or letting OpenID be one of the many factors in a multi-factor system.
Why can't we have a system based on our own public keys ? You could upload your public key to whatever site you wanted, without needing to transmit a password at all, ever.
Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.
Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
Myspace was set up and invented to assist hackers, con-artists, and stalkers. All information about you, your friends, and your family members in one place for a team of hackers to analyze.
All the names and photos to assist the teams that want to stalk you, black mail you, or extort you.
You don't like it? Pay for protection, just like 1920s mafia. It's a racket. In this case the hackers run it, because you and others were dumb enough to make their job easier by going to their website and giving them all the information they'd ever need to blackmail you with none of the effort.
Sexual blackmail is much easier, extortion is much easier, stalking is much easier, bullying is much easier, and when someone makes a threat and they have your real name, your picture, all your friends names and pictures, and they know intimate details about you, you know they mean business.
Noobs, all your base are belongs to us.
I hope it flops- the last thing we need is universal logins for the internet. Imagine 5 years from now that to be a use larger site that requires a login, you must first register with xyz123company.com (for the cheap monthly $5 fee). Now you are free to use and be tracked wherever you go online. Thanks, but i'll just take the encrypted .txt file with my users and pass for the sites out there (especially when the govt decides to get involed, if they havnt already). Further, lets take this to an even further reality, what happens when the open ID adult comes out. Yey, unified pr0n logins.
All I'm saying... in such abstract way, is it sounds like a nasty information gathering scheme... dont like it.
Seeing the amount of spammers, script kiddies, and social engineering scams floating around MySpace - and the scalability of MySpace users, this is bad news. People can scam the kids who have MySpace accounts out of their passwords very easilyl, but having every password the same on all the sites you use...
Really?
Really.
Oh, so one site being compromised WILL result in all of your accounts being compromised after all. Please get your story straight. This is a terrible idea and is just trading security for convenience.
I suspect you still misunderstand, that or you're being deliberately obtuse. OpenID is structured as follows :
OpenID Provider - provides you with a central point for identification and a means of signing in and managing sign-ins to other sites. This is the only party that can verify your identity, so you choose someone you trust not to screw up (i.e., not Facebook or MySpace etc).
OpenID Consumer or Relying party - these are the many websites that you want to log into and currently have your details written on a sticky/stored in 1Password/stored in a text file etc - the logins for which you probably don't care about much anyway, but which you have to remember currently.
If one of those many consumers is hacked, you will lose nothing save any info you've chosen to give them.
If the provider is hacked (very unlikely if you've chosen a good provider), then it's conceivable that someone could gain access to your accounts with consumers. Many providers (e.g. myopenid.com) allow disabling password login and only using a certificate, which does give a good measure of security - far more than transmitting your passwords in forms over http and relying on email to send them, which you are currently doing all the time on various sites.
Personally I wouldn't use my OpenID for my bank or anything financial, as it's good to isolate those accounts, but it is vastly superior to our current system of :
Identity verification by email
Submitting passwords via unencrypted forms
Sharing passwords/logins over many different sites, who are all storing it in various ways (hashed? in the clear? you don't know)
Often people use the same password for everything and never change it
Putting the onus for security on to many smaller sites, rather than one which specialises in security
The downside is it can give a false impression of security if people don't carefully consider who they trust to be their provider. For example if FaceBook was your provider they'd probably be happy to sell your traffic patterns to anyone who asked, but then, if you use FaceBook, you already let them do that.
I have valid concerns. Please don't automatically assume the worst.
I fully understand that.
Which was my point in my response above. The person I responded to claimed that one site couldn't compromise your identity but in fact the OpenID provider (a single site) could do just that.
And that is the tricky part. Using OpenID requires that you expand your web of trust beyond yourself to your OpenID provider. How will you establish that trust and vet the provider? How do you know that your information will not be compromised via accident or maliciousness? I know that you can set up the software to be your own provider, but as I pointed out in another message, this carries administrative overhead. This solution doesn't seem to have any advantages over existing features such as Firefox's password manager. In fact, it seems more limited as it will only work with sites that know about OpenID.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
This seems to be a double edged sword as many have said before me. I don't go on myspace, but the fact that they joined gives this some power in the market now. I'm hoping eventually this service will extend to just about all manner of social network sites because I'd really like it. However, sharing information on a site that has been hacked before like myspace can be pretty dangerous methinks. At least I know my information is safe for now...
I fully understand that.
Perhaps, but you left out my note about context. The original poster was clearly talking about any given OpenID consumer getting hacked. The person who replied was imprecise in telling him that that wasn't true, and your reply showed either an inability to read contextually or a desire to be overly pedantic. Out of sheer curiosity, would you mind telling me which one it is?
Maybe a local app that stores all passwords and automatically logs you in would be a better solution, as long as your local security is good. Something like the firefox password bank, but more capabilities like working with apps, etc. If someone learns your OPENID then they have you hacked on every site. This would be very insecure, and I believe that having the same login for multiple sites was a no-no anyway. This kind of mainstreaming of breaking a security rule should not catch on, it is flawed and insecure by nature.
So now you really are fucked if someone gets your password.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Which was my point. If this one site (the provider) is compromised, then all of my accounts are compromised. It's also not a matter of the site being hacked. A security compromise could be caused by a misconfiguration or accidental change. I must also trust that the employees of the provider are ethical.
I think that is my core concern. How does one know who to trust?
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
"I want onetime passwords right now, that my phone can remember, attached to the specific counterparties, money quantities and transaction description. So later I've got my own complete, authoritave record."
So start using OpenID! :-) Ok, people aren't supporting what you describe quite yet, but it's right there in the protocol. OpenID can let you do it.
"And the meaning of words; when they cease to function; when will it start worrying you?"
Now if we hack Email we can get EVERYONES account to EVERY email address.
Email makes life easier for hackers.
If someone hacks my email (for example), they don't get carte blanche to either open accounts elsewhere or check all my other accounts. But OpenID will change all that.
Eh? If someone hacks your OpenID, they won't get access to your other OpenIDs either. If you're worried, you can still have multiple OpenIDs just like you can have multiple email accounts.
But if you have just one email account, they can get access to all your emails, and everyone you send email to. Is that "Monoculture" too?
(I also can't help being amused that most of the OpenID criticisms seem to be from Anonymous Cowards - why are you bothered by OpenID if you don't set up accounts in the first place?)
I very much doubt that banks would use OpenID, because even if you trust an OpenID server, they won't. Banks are not simply things you sign up for a login, so OpenID is not relevant here (mine required me to get details sent through the post, and I have to use a hand held device which generates codes to use when logging in or performing transactions - OpenID replaces neither of these, and nor is it intended to).
Monoculture ... ?
own me once, own me everywhere
G
Right. (seriously)
Every Myspace user that logs in to Myspace sends their username and password in the clear.
It's been that way from the beginning, and the shiny new redesign didn't help.
Ironically, the URL it gets sent to is:
http://secure.myspace.com/index.cfm?fuseaction=login.process
Hey, there's a "secure" in the hostname, it must be okay!
So... When Myspace becomes an OpenID provider, will the OpenID authentication page be over plain HTTP too?
It's okay, it's not like most Myspace users log in to check their profile on every public computer they see.
OpenID seems neat, but isn't it wide open for phishing?
I go to 'evilwebsite.com', give it my openID, and it directs me to 'notmyopenidprovider.com', with a login page that looks real - I enter my credentials and it's all over? It's the bank game all over again, especially as I'm *expecting* that I might be redirected and asked for my password...
Or am I missing something?
- Chris
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird.
echo "$master$site" | md5sum | head -c20
(where master is your master password and site is the name or url of the site you're registering for.)
There's your unique password and you only have to remember the master. A bit simpler than OpenID, no?
(maybe this simplistic scheme has some vulnerability, but you get the point)
Medium cat is MEDIUM.
It would be not reading contextually. But I find that to be irrelevant to the discussion at hand. OpenID still carries too great a risk.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
A question about OpenID, pertaining to your scenario 3:
Say, for example, I'm registered with 20 sites using my MyOpenID (I believe the most popular OpenID provider). Then my MyOpenID gets hacked, they change the password and get control of it. They now have control over all 20 of those sites.
How do I recover from this? Does it require me calling MyOpenID and trying to confirm my identity? Does it require creating a new OpenID somewhere else and opening 20 new accounts at each of those sites? Once an account is created at RandomSite using your OpenID, can you change it over to a different OpenID?
WeRelate.org - wiki-based genealogy
It would depend upon your provider, I guess, but when you're effectively proxying access, this is always the case.
If you maintain/register your own URL (note: not necessarily your own OpenID provider) then you can change to a new provider yourself.
Say I have the domain sancho17056.com. I can choose to make that my OpenID by adding a few lines of markup to the <HEAD> portion of that page. Those lines specify which OpenID provider should be used to authenticate my URL. Now, if I delegate to myspace.com (thus using their OpenID services) and my account gets hacked over there, I can simply register with another provider and point my URL over there. Instantly, every place where I use my OpenID as my login will begin authenticating with the new service. I'm in control, you see.
Of course, as I pointed out at the beginning, if you give someone else control over that URL, you have to convince them to delegate to a new provider. I can't speculate on what would be required to do this. And if your OpenID is hosted at the same site as your URL, you may have an even harder time convincing them to change things.
That's an ok solution. The main issues I see are that you lose some amount of portability. You have to have md5sum and head wherever you want to log in. You may have to ssh somewhere to do it this way. And if there's a keylogger on the machine, the game is still over. Changing your master password and then changing all of the rest of your passwords will still be quite the pain.
I'd rank this solution above using the same password for everything, but below using single-sign on via OpenID.