05 Mar 2007
The big news at Carson’s Future of Web Applications conference in London last month was the momentum building for OpenID, a URL-based system for single sign-on.
Kevin Rose, founder of the popular news site Digg, announced that his site will support OpenID authentication. This follows AOL’s recent announcement that any AOL username can be used as an OpenID, and Microsoft’s declared intention to integrate OpenID with Windows CardSpace.
At the conference, Simon Willison, formerly of Yahoo, gave a presentation on the advantages of single sign-on and the potential of OpenID to help combat comment spam and other evils.
Single sign-on would be a huge convenience. Just this morning I completed three web registration forms, each requiring new usernames and passwords, to download trial software. OpenID can remove the need for registration forms when extended with the Attribute Exchange service, which allows web sites to retrieve personal details from your chosen OpenID provider.
Unfortunately, there are several problems with OpenID. One is its vulnerability to phishing. A user trying to log on to a site that claimed to support OpenID might be typing username and password details into a forged page. Another weakness is that OpenID depends on the URL identifier routing to the correct machine on the internet. This, in turn, depends on DNS, the system by which names are mapped to internet addresses, which is known to have security weaknesses.
The OpenID specification does not even insist on Transport Layer Security (TLS) for every web site that participates in the authentication process. It allows properly secured authentication, but does not insist on it, which is a missed opportunity. The snag with any single sign-on scheme is that if the credentials are stolen, the thief gets access to many accounts, not just one.
It is easier to fix security issues with OpenID than to fix millions of individual web sites with weak authentication. But OpenID is not a cure-all. Currently, it is suitable for commenting on blogs or registering for trial software, but not for e-commerce or online banking. I would like to see sites that accept OpenID insist that it is used in a secure manner. The work being done to integrate with CardSpace will solve the phishing vulnerability. If that is combined with TLS, OpenID is real progress towards a secure internet. Otherwise, it may be a disaster.
Your first two points are not specific to OpenID, and have been around. Many of today's banking web applications face the same problems, so there is nothing particularly insecure about OpenID.
Your third and last point is still not an intrinsic insecurity of OpenID. That insecurity depends on the implementation of the identity providers, so as long as I personally use a *good* identity provider, I don't have to worry.
- Jack
Posted by: Jack Gardener 10 Apr 2007
Have your say on this article
Newsletters
Latest stories from Security Technology
Latest videos
You may also like
Security Technology jobs
Will Facebook be able to continue its success as a public company?
Rubbish in... rubbish enterprise. Why proper data management is so important (video, 6 min)
This Forrester report compares the costs and benefits of legacy email and productivity software with Google Apps
Upcoming Events
The implementation of robust, relevant digital strategies is more crucial than ever to the success of insurance businesses
Date: 01 Mar 2012
Time: 09:00am
A showcase of the latest in the information content and management
Date: 20 Mar 2012
Time: 09:00am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
