[ubuntu-in] [OT] OpenId Discussion

Thu Aug 14 05:15:29 BST 2008

Jayanth S wrote:
> I'm just trying to understand how ANY user would trade away 
> information like that so easily.. And want some people who have used 
> these invitation services to tell us all what gave them the confidence 
> to do so..
Because people are not still aware of security, it's exploits and it's 
impact on their lives. If you ever watch over the kind of people who 
usually fall prey to those trade offs are not matured people who have 
been using Internet and various services available online. It's 
enthusiastic kids who do not care much about their online privacy and 
security. Second, these are also people who do not look before they 
leap. They do not realize that the site is just going to use their 
entire address book, which unfortunately also contains mailing list 
addresses. They do not realize that this will eventually result in his 
email account being used as a carrier for mass amount of spam. People 
who are aware of this, or have experienced the embarrassment once in 
their life time are more careful not to go for it. At the end of the 
day, it's all about awareness and I don't see an end to this until the 
social networking sites themselves stop this method (which won't also 
happen).
>
> With one developer resources website , i had to enter my OpenId which 
> wouldbe something at livejournal and then the password.. I was redirected 
> for authentication(agreed) but in between, i did send my info to the 
> site.. I mean, from myside it would have been a mistake to trust the 
> site.. But i was just testing something out so thats ok..
If you fully understand how the OpenID mechanism works and have tried to 
implement a sample of it for yourselves, then you wouldn't be confused 
as you're. For your on your browser, it might be yanking of sites where 
you jump from your site-of-interest to site-of-authentication, then 
again back to your site-of-interest being authenticated in between. But 
internally it is fully secure that your information from the 
authentication site (say your SSH and PGP keys in Launchpad) have no way 
of being read by the site-of-interest as the authentication site only 
performs an authentication and send back an yes or no. The 
site-of-interest is just performing an auth check with the 
authentication site whether you are genuinely what you claim to be. When 
the reply is yes, you are allowed to access the site as what you claimed 
to be. All you provide to the target site of interest is the OpenID URL 
provided by the authentication site and no credentials such as username 
or password. Hence by no means the target site can steal info from the 
authentication site without your knowledge. Even if the target site 
saves that URL and tries later when your session is off, all it will get 
back is the authentication site's login window which the target site has 
no way of getting authenticated. Thus your privacy is secured.

You may counter argue that there needs to be an authentication 
site/service, and you still need to enter username password there. But 
as of now, we need one such service for authentication and you may 
resort to use multiple authentication sites with different and strong 
passwords to protect yourselves. 100% security is a myth in this world, 
so you have to settle in for the most comfortable option you feel to be 
enough secure.

-- 
---
With Regards,

Parthan "technofreak"
<gpg>  2FF01026
<blog> http://blog.technofreak.in