Slashdot Mirror
MySpace Joins OpenID Coalition
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
"Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere" Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ. How many other sites are going to require that you create a new OpenID for their site?
"now if only Microsoft would support it"
I think it would be more likely that they would decide IE should actually follow internet standards before they hopped onto this.
Until you actually let someone authenticate to your site using OpenID, you're not really helping anything. You're just spreading BS about how open you are when you're really just supporting further centralization around yourself. Until the big names start acting as Relying Parties, I don't wanna hear about it.
Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use
No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.
Jesus fucking Christ, is proof-reading really that hard?
Spelling mistakes, grammatical errors, and stupid comments are intentional.
A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.
Colin Dean Go a year without DRM
So now the big question for me. Can you create this single sign on account as an anonymous account? It would make things nice, but, I'd still not want to be identified in meatspace with this id....kind of like most accounts I have on the internet.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I really wanted my Hotmail account to be compromised when my Google/Myspace/Facebook/Amazon/Ebay/Paypal accounts are all compromised by the single sign on. Now they will have to get my OpenID AND my Passport logons.
Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.
With any luck some banks and credit cards will adopt this. So now you can have everything stolen from you with a single username/password combination that was probably lifted from you through a fake website or one of the dozens of account stealing malware bits that you installed to get "OMG Ponies Wallpaper & Pointers!". For bonus points, being able to pull a drive by install of malware to steal this account from a MySpace banner and then using that to steal all of their money, email addresses, and social webpages would be great. Bonus points if you manage to auction off all of their personal possesions through their ebay account and then keep the money through their paypal account.
The only change I can believe in is what I find in my couch cushions.
I guess Microsoft's failure with Passport isn't going to deter MySpace from building a system that no one is going to use either.
If an ID could be created to authenticate on all these sites, then losing the security of that ID could be fixed easily by canceling it and creating a new one. It's the same thing with credit cards. You could have multiple copies of the same card and if you lose one, you call in and get them all canceled.
Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.
Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.
> Who cares about a unified username/password "experience".
fair enough, but i think for many users it would be cool to have a unified identities across several sites. ie, so my MySpace social network could be parsed by YouTube or my favorite online game or what have you. Not saying it's for everyone, but there's certainly some value there for some.
That's why you use a very secure password with an openid provider with a good reputation - which would probably not be Myspace or the like, but a dedicated openid provider that has been around a while. Some providers allow the used of a signed certificate to facilitate the login - that is you can choose a.really.long.and.damn.near.unguessable.password.that.is.so.long.that.it.is.a.pain.to.type.but.which.you.can.remember.except.when.youre.drunk, and then you use a certificate established between your trusted machine at home and the openid provider, which bypassed the password handshake by exchanging the certificate data automatically.
...even if your data doesn't get stolen, doesn't get lost, and doesn't get compromised in any other way, this is a BadIdea(tm) from a privacy point of view.
Why? Because if you care about your privacy on-line, one single clue about who you are will give away who you are *everywhere* [on the websites using OpenID authentication]. Have your real name of Facebook? Everyone on the net will be able to find *your* MySpace, AOL, Yahoo, BlogThis and IMThat... account.
Even if you don't have your real name anywhere: you're still leaving a waaaay longer trail on the 'net than you're doing with a purpose-limited account. Anyone with a clue (and a sane cookie system, like Google) will sooner or later relate pretty much everything you do on the 'net to exactly *your* person. If you're really careful, then you *might* be able to keep those two words making up your name out of the game. But that's about the *only* thing that's not going to be known about your person...
Either that, or you'll keep creating 2, 3, or even more OpenID accounts -- one for each level of "privacy" you wish to enjoy. But then again, the need of having several OpenID accounts kinda kills the point of centralizing account management...
Privacy is not a matter of the information itself, it's a matter of how information is linked together (and/or to your person :-)
What we need is the opposite of this scheme.
We need to store our passwords on our own local trusted machine. Like on our personal mobile phone with tested HW encryption, which requires multifactor ID: thumbprint, voice recog, keyed PIN, retina scan. In fact, that device shouldn't store some simple password data, but rather a onetime password generator that generates unique secure password sequences for each challenging site. Maybe the phone should send the password via IR/Bluetooth or a phonecall, but secure itself against attacks over that connection, or just report the momentary password on the screen for its human to read and enter into the challenge.
It's insane that I give my bank PIN to some arbitrary sketchy ATM in some latenight deli when I'm already drunk, need another 6-pack, and won't even remember where (or who) I was when I find out months later that my PIN was used by someone (of the dozen sketchy ATMs I used that year) to rob my account. I want onetime passwords right now, that my phone can remember, attached to the specific counterparties, money quantities and transaction description. So later I've got my own complete, authoritave record.
Not go the other way and give my PIN to every fly by night website, just because they "trust each other" with nothing of their own at stake.
--
make install -not war
All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.
With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.
> Is having 1 global ID really wise?
Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.
I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.
For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.
Web users today are much more phishing-savvy and rely on password safe applications to manage their accounts. This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.
Ok. So don't use it. The fact is that many (most?) of us have one or two email accounts that we use for registration purposes. If our email was cracked then all of those registrations are toast. From what I've read, OpenID provides a way to replace this hack (email is not meant for personal identification... it's meant for communicating text efficiently) with a registration system that is as secure as the provider you choose to sign up with. There are providers that give you the same lack of security as email, there are providers that use certificates and fancy-schmancy secure communication, and there are providers that use hardware to verify who you are - you pick the level of security you want when you pick a provider.
And of course, if you really do want a seperate identity for each and every site for which you register, you're free to register multiple OpenID identities.
Basically, OpenID replaces an email address as a central identity. It provides all of the "ease" of using email addresses, but also provides a wealth of possible security improvements and, of course, single sign-on capabilities.
OpenID doesn't work like this. The user names are tied to a site. So your myspace OpenID would be something like http://myspace.com/hockeypuck. Someone else could have http://othersite.com/hockeypuck
I don't think you understand how openid works. The only way to compromise all sites is for your openid provider to be compromised. You only provide 3rd party sites with a URL which points to your openid provider. You are forwarded to your openid provider (SSL cert verifies to you that the provider is legit.) You enter your credentials to the openid provider who then sends over a back channel that you are verified back to the 3rd party site. At no time does the 3rd party site have any of your authentication credentials and therefore can not access anything on other sites which you use that openid account for.
Maybe you should try reading the spec then, since that's exactly what it's designed to do.
The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider's site, where:
1) If you don't already have a session open, you login, and then go to 2.
2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from "nothing at all" to "everything", or a combination of them).
This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.
If you're feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you'll know as soon as they try to use it, and can disable or change them.
Who cares about a unified username/password "experience".
I think that would be almost everyone who's tired of remembering (or writing down) a hundred different passwords, as well as everyone who's already using the same password everywhere because (see previous).
A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?
You.
The people behind OpenID thought of it as a problem to solve and found a solution. Newsflash: If my game (see footer) accepts OpenID as a logon mechanism (and it will, once I get around to coding it), I won't get your actual login data. What I'll get is a way to ask thirdparty.com if you really are dude@thirdparty.com - the actual authentication happens there, not at my site. Since OpenID is distributed, you in reality get less exposure to attackers, because someone cracking me, or Facebook, or Google, will not get any login data for you, not even to the cracked site, unless that site was your provider.
Assorted stuff I do sometimes: Lemuria.org
And if only ONE of those websites is compromised, my login is now compromised across the board,
Take the trouble to read up on OpenID, and you'll find this is not the case. Having one site which you log in to compromised will not compromise the others. The only way you'd lose control of your openid identity is if your openID provider was compromised.
You can also select how much information you disclose to different sites, revoke permissions to certain sites, and choose more secure login methods like certificates.
GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.
You do NOT give OpenID all your passwords and logins.
It's not turning all those accounts over to a third-party and them giving you a single login and password.
It's using ONE account at MANY other sites in a limited form.
Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.
This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.
THAT'S IT.
I RFTS. I RTFA. I even went to the OpenID website to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.
Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.
I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)
Why can't we have a system based on our own public keys ? You could upload your public key to whatever site you wanted, without needing to transmit a password at all, ever.
Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.
Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
It's just a little different from that. Let's look at a couple of scenarios.
Scenario 1: You have accounts all over the place. You use different passwords for each of them. You have multi-factor authentication for several of them.
This is pretty secure, but of course, you have to remember your passwords. You may have to carry around several dongles. If a site is hacked and the password on it is recoverable, only that site is hacked. This scenario, however, is unrealistic for the masses.
Scenario 2: You have accounts all over the place. They all have the same password. You probably don't have multi-factor authentication on any of them, but who knows--maybe your WoW account really is that important to you.
This is horrible security. If a site is hacked, the attacker now has access to your entire web presence. You'll be forced to change your password in dozens of places, and you're almost certain to forget a few.
Scenario 3: You have a single sign-on provider (like OpenID). You have accounts all over the place, but only a single password, stored on a single server. If that server is hacked, the attacker has access to all of your accounts for the time period that it takes you to realize the issue and change your authenticator to a new host. You don't have to remember a password for each site you visit. The individual sites never have access to your password. You may use multi-factor authentication on your OpenID site to reduce the liklihood that a hack will give carte blanche access to all of your accounts, and you don't have to carry around a dozen dongles to provide "something you have."
Do you see how Scenario 3 is a compromise between the two? Do you realize that Scenario 2 is how most people use the web? Scenario 3 is better security than what most people use, while maintaining the convenience. If you don't like the idea of using OpenID, you aren't forced to. You can create a new OpenID for every website you wish to use. OpenID allows for better security in a realistic world (where people reuse passwords) when, currently, the only other option is password-management Hell.
I agree that there is definitely a lack of security conscious behavior on the internet, however I think there are some circumstances that mitigate the problems seen in scenario 2.
For sites that use your email address as your login, I hope that someone signing up for that service would not use their email password, In fact many people I know, who use ISP provided accounts, only knew their password when they set up Outlook Express. Gmail and its ilk are obviously a different story.
Scenario 2 assumes that people are able to get the same user id on every site they use. My experience is that this is not the case. Especially as the internet becomes utilized by a greater population simple or consistent id's are not available for long after a site comes into existence. So unless an attacker has been reading the autofill information in a victims browser preferences, he is probably not going to be able to access more than one or two sites.
I am not saying this is indicative of the mentality of internet users in general, but recently I was helping my mother with something that required a password and she was very conscious of the security of her password regardless of the fact that she is almost completely lost when it comes to most things computer related. Now admittedly I got the impression that she thinks her passwords are stored in a Caesar Cipher out in the open, but that does tell me security issues are filtering down to the masses.
You are correct in that OpenID does create a suitable compromise between Scenarios 1 and 2. However, once OpenID is commonly used there will be a new set of security problems that users are faced with. Even considering the limited success rate of fishing attacks, once a users OpenID is compromised, it becomes trivial to automate attacks on possible accounts across popular sites. Also, we are now relying on the reliability and integrity of a third party OpenID provider. It is easy to say "if you have doubts, move your OpenID", but that solution assumes anything but blind trust, which seems to be the default in many cases. It also assumes that if the OpenID server has been compromised that the user will become aware within a reasonable amount of time in order to minimize that damage done. Admittedly, if the damage is limited to someones blog and myspace account, really, who cares. But if that damage crosses over to financial and government accounts then it becomes a much bigger issue. I can't even imagine the lawsuit shit storm that befall some poor guy who decided to become an OpenID provider in that circumstance.
Now if we hack Email we can get EVERYONES account to EVERY email address.
Email makes life easier for hackers.