I am not handling with any sensitive data. I am going to implement this in a non-profitable music site. Its just that I wanted to know what loop holes and pitfalls are there if one makes his site opeid enabled (not an OP). Also I need to be on a watch of what people do. So can i atleast restrict them to use only one id with which they login the first time? because i have to calculate their usage and all and fix them specific download quotas. so i shud make sure that the user doesn't use another openid to login and continue using the website. pls advise..<br>
<br clear="all">
Warm Regards<br>Balasubramanian<br><a href="http://www.icreatesoftwares.co.cc" target="_blank">www.icreatesoftwares.co.cc</a>, <a href="http://www.yourtanpura.co.cc" target="_blank">www.yourtanpura.co.cc</a>, <a href="http://www.quizmasterpro.co.cc" target="_blank">www.quizmasterpro.co.cc</a><br>
<br><br><div class="gmail_quote">On Tue, Feb 10, 2009 at 9:58 AM, Brandon Ramirez <span dir="ltr"><<a href="mailto:brandon.s.ramirez@gmail.com" target="_blank">brandon.s.ramirez@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I would elaborate what you mean by secure? What are you trying to verify? Considering what you said and all replies so far, I'd say it isn't your users you need to worry about protecting - it's protecting yourself.<br>
<br>What makes your simple question so difficult to answer is that OpenID is as secure as the identity provider with which you communicate. Some providers can use two factor auth, or place a phone call, use strong authentication, etc. Others may just use plaintext over HTTP as someone else noted. You have to assess the risk to your site and its assets to determine if that is acceptable. Bare in mind the visibility of your users' data; that too is an asset. Is there any way that can be exposed to another logged-in user (this isn't a technical question, I'm referring right to the user interface)?<br>
<font color="#888888">
<br>- Brandon<br><br></font><div class="gmail_quote"><div><div></div><div>On Mon, Feb 9, 2009 at 2:02 PM, Balasubramanian G <span dir="ltr"><<a href="mailto:mccbala@gmail.com" target="_blank">mccbala@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div>
Dear all,<br><br>I recently started working upon making my site openid enabled. when i was having a talk with my friend abt this, he pointed a series of articles in the internet which describe the vulnerabilities in using openid. Though my site does not deal with any sensitive data, i just want to make sure that its safe to the users if not 100%, atleast to the max extent.<br>
<br>So, pls advise me on how secure is openid and wht safety measures should i implement in order to make it more safe as i am answerable to the users of my site if they raise the question of security.. Reply ASAP<br><br clear="all">
Warm Regards<br><font color="#888888">Balasubramanian<br>
</font><br></div></div><div>_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@openid.net" target="_blank">security@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/security" target="_blank">http://openid.net/mailman/listinfo/security</a><br>
<br></div></blockquote></div><br>
</blockquote></div><br>