[security] how secure is openid? advise pls..

[Brandon Ramirez]

I would elaborate what you mean by secure?  What are you trying to verify?
Considering what you said and all replies so far, I'd say it isn't your
users you need to worry about protecting - it's protecting yourself.

What makes your simple question so difficult to answer is that OpenID is as
secure as the identity provider with which you communicate.  Some providers
can use two factor auth, or place a phone call, use strong authentication,
etc.  Others may just use plaintext over HTTP as someone else noted.  You
have to assess the risk to your site and its assets to determine if that is
acceptable.  Bare in mind the visibility of your users' data; that too is an
asset.  Is there any way that can be exposed to another logged-in user (this
isn't a technical question, I'm referring right to the user interface)?

- Brandon

On Mon, Feb 9, 2009 at 2:02 PM, Balasubramanian G <mccbala at gmail.com> wrote:

> Dear all,
>
> I recently started working upon making my site openid enabled. when i was
> having a talk with my friend abt this, he pointed a series of articles in
> the internet which describe the vulnerabilities in using openid. Though my
> site does not deal with any sensitive data, i just want to make sure that
> its safe to the users if not 100%, atleast to the max extent.
>
> So, pls advise me on how secure is openid and wht safety measures should i
> implement in order to make it more safe as i am answerable to the users of
> my site if they raise the question of security.. Reply ASAP
>
> Warm Regards
> Balasubramanian
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090209/773ae32e/attachment-0002.htm>