[OpenID] allowing users to switch to opendid-only: pointless?

[SitG Admin]

>We will be using <http://mediatemple.net/>Media Temple to host the 
>site and my co-designer believes that they are an indominatable Fort 
>Knox when it comes to keeping date secure.

Physically, sure. Their data center is well-protected. But to the 
webserver? At most they might automatically update you with the 
latest security fixes (which you can do yourself), that doesn't do 
anything to protect you against a poorly-written website. They might 
have a network IDS keeping an eye on traffic, but what good is that 
when SSL (you *are* using SSL for login attempts, aren't you? y'know, 
not letting customers send usernames and passwords across "in the 
clear"?) prevents their IDS from perceiving that a user is making 
multiple consecutive login attempts?

So you stop using SSL, and the IDS has to decide when it crosses over 
from seeing an innocent user who forgot their password to an attacker 
trying to guess a password. Is it using its own definitions or some 
you supplied?

Try contacting Media Temple directly and asking their techs to run 
down a list of the dangers for you. Your co-designer might accept 
that Media Temple can't achieve miracles when it comes straight from 
them.

-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090626/f0e27078/attachment.htm>