OpenID still open to abuse

The big news at Carson’s Future of Web Applications conference in London last month was the momentum building for OpenID, a URL-based system for single sign-on.

Kevin Rose, founder of the popular news site Digg, announced that his site will support OpenID authentication. This follows AOL’s recent announcement that any AOL username can be used as an OpenID, and Microsoft’s declared intention to integrate OpenID with Windows CardSpace.

At the conference, Simon Willison, formerly of Yahoo, gave a presentation on the advantages of single sign-on and the potential of OpenID to help combat comment spam and other evils.

Single sign-on would be a huge convenience. Just this morning I completed three web registration forms, each requiring new usernames and passwords, to download trial software. OpenID can remove the need for registration forms when extended with the Attribute Exchange service, which allows web sites to retrieve personal details from your chosen OpenID provider.

Unfortunately, there are several problems with OpenID. One is its vulnerability to phishing. A user trying to log on to a site that claimed to support OpenID might be typing username and password details into a forged page. Another weakness is that OpenID depends on the URL identifier routing to the correct machine on the internet. This, in turn, depends on DNS, the system by which names are mapped to internet addresses, which is known to have security weaknesses.

The OpenID specification does not even insist on Transport Layer Security (TLS) for every web site that participates in the authentication process. It allows properly secured authentication, but does not insist on it, which is a missed opportunity. The snag with any single sign-on scheme is that if the credentials are stolen, the thief gets access to many accounts, not just one.

It is easier to fix security issues with OpenID than to fix millions of individual web sites with weak authentication. But OpenID is not a cure-all. Currently, it is suitable for commenting on blogs or registering for trial software, but not for e-commerce or online banking. I would like to see sites that accept OpenID insist that it is used in a secure manner. The work being done to integrate with CardSpace will solve the phishing vulnerability. If that is combined with TLS, OpenID is real progress towards a secure internet. Otherwise, it may be a disaster.