[security] "Anonymous Providers"
Steven Osborn
steven at vidoop.com
Wed Feb 21 00:00:21 UTC 2007
I was curious as to everyone's take on "anonymous" openid providers
such as http://www.jkg.in/openid/
I just picture a scenario where Grandpa want's to be cool and use
openID because he's heard it's sooo hip and secure and an anonymous
openID must be even more secure so he types in http://www.jkg.in/
openid/asdf1234 as his openID or even copies and pastes "http://
www.jkg.in/openid/anything" since its an example that is given. Now
every hacker in town can just write a bot that logs in with "http://
www.jkg.in/openid/anything" all over the net accessing poor souls
accounts who thought it was cool to be anonymous.
Of course it is up to the user to choose a legitimate openID provider
that they trust, but I'm not sure what percentage of users is capable
of discerning a good provider from a bad one.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2417 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20070220/6b8c2fbc/attachment-0002.bin>
More information about the security
mailing list