[security] how secure is openid? advise pls..

Balasubramanian G mccbala at gmail.com
Tue Feb 10 16:18:58 UTC 2009 

I am not handling with any sensitive data. I am going to implement this in a
non-profitable music site. Its just that I wanted to know what loop holes
and pitfalls are there if one makes his site opeid enabled (not an OP). Also
I need to be on a watch of what people do. So can i atleast restrict them to
use only one id with which they login the first time? because i have to
calculate their usage and all and fix them specific download quotas. so i
shud make sure that the user doesn't use another openid to login and
continue using the website. pls advise..

Warm Regards
Balasubramanian
www.icreatesoftwares.co.cc, www.yourtanpura.co.cc, www.quizmasterpro.co.cc


On Tue, Feb 10, 2009 at 9:58 AM, Brandon Ramirez <
brandon.s.ramirez at gmail.com> wrote:

> I would elaborate what you mean by secure?  What are you trying to verify?
> Considering what you said and all replies so far, I'd say it isn't your
> users you need to worry about protecting - it's protecting yourself.
>
> What makes your simple question so difficult to answer is that OpenID is as
> secure as the identity provider with which you communicate.  Some providers
> can use two factor auth, or place a phone call, use strong authentication,
> etc.  Others may just use plaintext over HTTP as someone else noted.  You
> have to assess the risk to your site and its assets to determine if that is
> acceptable.  Bare in mind the visibility of your users' data; that too is an
> asset.  Is there any way that can be exposed to another logged-in user (this
> isn't a technical question, I'm referring right to the user interface)?
>
> - Brandon
>
> On Mon, Feb 9, 2009 at 2:02 PM, Balasubramanian G <mccbala at gmail.com>wrote:
>
>> Dear all,
>>
>> I recently started working upon making my site openid enabled. when i was
>> having a talk with my friend abt this, he pointed a series of articles in
>> the internet which describe the vulnerabilities in using openid. Though my
>> site does not deal with any sensitive data, i just want to make sure that
>> its safe to the users if not 100%, atleast to the max extent.
>>
>> So, pls advise me on how secure is openid and wht safety measures should i
>> implement in order to make it more safe as i am answerable to the users of
>> my site if they raise the question of security.. Reply ASAP
>>
>> Warm Regards
>> Balasubramanian
>>
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090210/b0e15845/attachment-0002.htm>

More information about the security mailing list