:Last month, Simon Willison gave a talk at Google (video, slides) which is a good intro and summary of technical implications of OpenID. He points out a very important point: OpenID does outsource your security to a third party; so does sending a "forgot your password" email to an arbitrary email address. All of the attacks that work against OpenID also work against these emails.
So the implication is that the security policies that you currently have around "forgot your password" are a good starting point for thinking about OpenID security. Specifically phishing vulnerabilities and mitigations are likely to be similar. However, OpenID also changes the ecosystem by introducing a standard that other solutions can build on (such as Verisign's Seat Belt plugin).
OpenID really solves only one small problem -- proving that you own a URL. But by solving this problem in a standard, simple, deployable way, it provides a foundation for other solutions.
It doesn't solve the phishing problem. Some argue that it makes it worse by training users to follow links or forms from untrusted web sites to the form where they enter a password. My take: Relying on user education alone is not a solution. If you can reduce the number of places where a user actually needs to authenticate to something manageable, like say half a dozen per person, then we can leverage technical and social aids much more effectively than we do now. In this sense, OpenID offers opportunities as well as dangers. Of course, this would be true of any phishing solution.
Subscribe to:
Post Comments (Atom)
Suspended by the Baby Boss at Twitter
Well! I'm now suspended from Twitter for stating that Elon's jet was in London recently. (It was flying in the air to Qatar at the...
-
Last night Rachel Maddow talked about an apparently fake NSA document "leaked" to her organization. There's a lot of info t...
-
Congratulations to the Ficlets teamon their launch(escape?) . In addition to being a neat site, it's also a greatdemonstration of what...
-
Clearly, John ate a bit too much turkey over the holiday and let his LinkRank slip a bit. PubSub's Site Stats is a neat service that in...
No comments:
Post a Comment