The Implications of OpenID
July 21st, 2010 | 
Author:
Google Tech Talks June 25, 2007 ABSTRACT Simon Willison OpenID іѕ аn emerging standard thаt provides simple, decentralised authentication fοr thе Web. OpenID follows thе Unix philosophy, solving one small problem rаthеr thаn attempting tο tackle thе many better challenges posed bу online self. Thіѕ talk wіll explore thе implications οf OpenID, аnd explore thе best practices required tο take advantage οf thіѕ nеw technology whіlе avoiding thе potential pitfalls. Lecturer: Simon Willison Simon Willison іѕ a consultant οn OpenID аnd client- аnd server-side Web development, аnd a co-creator οf thе Django Web framework. Before going frelance Simon worked οn Yahoo!’s Technology Development…
Posted in 
Tags:
This is much of poorer quality since everything is centralized, so keeping uncommon accounts still pay off. But yeah, its harder to manage.
I still not convinced about IDP spoofing, at all…
1. User visits a malicious RP page containing what looks like a regular OpenID login form.
2. User enters OpenID URL
3. Malicious RP redirects user to another page that looks like the user’s OP (call this Fake-OP) using a proxy to load/modify the content.
4. Fake-OP questions user for password
User not noticing the difference from his usual OP, enters his password
5. Fake-OP now has user’s password.
Meh! Get roboform!
This is a fantastic talk, and I had the same result to the phishing/credential stealing problem. He did sidestep around the actual problem, but, I realized a solution to this:
One Time Passwords. If your openID provider is hacked, they should only have the information required to authenticate you, not the secret information you have yourself. Look into technologies such as Yubico’s Yubikey. Also, I’d hope any password auth provider would only store one-way hashes, not the pass itself.
I loved the talk alot but i didnt like how he kinda kept avoiding fascinating security issues with OpenID just by saying that the issues are by now here. its not about whether or not openid is just as vulnerable as using ur email address across the internet and material. Its about what openid should do to combat this vulnerability. the whole “forgot my password” scam shouldnt be equivalent to openid, at least to me…
I would really like it too. Maybe trough gmail.
i’d really like to see Google start offering an OpenID service, and I could see Apple responsibility it as part of their .Mac service too.
The only huge name right now is AOL, and I don’t really like it.