BlogMatrix
    Subscribe
Search
 

OpenID: security concerns

edit David P. Janes 2006-09-12 15:52 UTC 3 comments  ·

Blake in the comments notes the issue of phishing -- that is, making a fake website duplicating the look and feel of a real website to capture passwords and identity. As far as I can tell, OpenID has no good solutions (here's a discussion that doesn't end up being that helpful).

Here's a few ideas I've had mulling over this:

  • run your own identity server with your own unique look and feel. This may not be too hard with Amazon EC2 type services, particularly if you could do something like run Java Servlets.
  • Identity servers should mail you new sites that you've accessed, possibly putting a hold on your account if there's suspicious activities
  • Identity servers could provide multiple levels of passwords; lesser passwords could be used for establishing identity at untrusted sites; the highest password could be used for direct administration of the identity account

On other security issues:

Comment #1Aswath Rao

2006-11-09 15:52:46

Ability to use ones own URL but redirecting to an IdP is one of the useful features. But if the user's web site is not properly protected, then the id can be hijacked by a third party. Is this a valid concern? I am planning to use OpenID for my site and highlight this capability. Should I add this caution?

Comment #2David Janes

2006-11-09 18:40:23

You should join the OpenID mailing list and open this concern. I have not got a satisfactory answer, but it may be because I'm not looking hard enough.

David

Comment #3Aswath Rao

2006-11-10 19:30:28
Thanks for the reply. Based on personal communication with Jonathan Daugherty of JanRain, delegation assumes that the original URL is properly protected.

Add Comment

BlogMatrix Home Semantic@BlogMatrix Home