I would elaborate what you mean by secure? What are you trying to verify? Considering what you said and all replies so far, I'd say it isn't your users you need to worry about protecting - it's protecting yourself.<br>
<br>What makes your simple question so difficult to answer is that OpenID is as secure as the identity provider with which you communicate. Some providers can use two factor auth, or place a phone call, use strong authentication, etc. Others may just use plaintext over HTTP as someone else noted. You have to assess the risk to your site and its assets to determine if that is acceptable. Bare in mind the visibility of your users' data; that too is an asset. Is there any way that can be exposed to another logged-in user (this isn't a technical question, I'm referring right to the user interface)?<br>
<br>- Brandon<br><br><div class="gmail_quote">On Mon, Feb 9, 2009 at 2:02 PM, Balasubramanian G <span dir="ltr"><<a href="mailto:mccbala@gmail.com">mccbala@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dear all,<br><br>I recently started working upon making my site openid enabled. when i was having a talk with my friend abt this, he pointed a series of articles in the internet which describe the vulnerabilities in using openid. Though my site does not deal with any sensitive data, i just want to make sure that its safe to the users if not 100%, atleast to the max extent.<br>
<br>So, pls advise me on how secure is openid and wht safety measures should i implement in order to make it more safe as i am answerable to the users of my site if they raise the question of security.. Reply ASAP<br><br clear="all">
Warm Regards<br><font color="#888888">Balasubramanian<br>
</font><br>_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@openid.net">security@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/security" target="_blank">http://openid.net/mailman/listinfo/security</a><br>
<br></blockquote></div><br>