Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re^2: PerlMonks OpenID provider?

by moritz (Cardinal)
on Sep 23, 2008 at 10:40 UTC ( [id://713190]=note: print w/replies, xml ) Need Help??


in reply to Re: PerlMonks OpenID provider?
in thread PerlMonks OpenID provider?

Why wouldn't you? For the average site (like the one mentioned in the OP), it really doesn't matter who handles authentication (not authorization). Now let's leave banks and websites like that out of the question. Digg? Slashdot? Perlmonks? JoeSchmoe-Forum? Does it really matter who handles authentication?
To me it does matter. If it's not secure, somebody could easily log in as moritz, and with a few writeups could destroy the reputation (and perhaps even trust) that I built by writing more than 2000 posts. (By reputation I don't mean XP right now).

Loosing the account would be very bitter, and I'm quite sure that frequent users of other sites think similarly.

If a site isn't important to you, you can post as Anonymous Monk or "Anonymous Coward" or with a bugmenot account. If it is important to you, then security matters for you.

Replies are listed 'Best First'.
Re: PerlMonks OpenID provider?
by b10m (Vicar) on Sep 23, 2008 at 11:21 UTC
    "To me it does matter. If it's not secure, somebody could easily log in as moritz, and with a few writeups could destroy the reputation (and perhaps even trust) that I built by writing more than 2000 posts."

    Right, I see why having your account broken into is something that bothers you (and me), but that could happen in any other form as well (again: Yahoo! Palin. Mail). First of all, the "attacker" has to guess which provider you used (obscurity, yes never good). In this case, Perlmonks would be an easy guess.

    Secondly, the "attacker" needed to somehow authenticate at Perlmonks with your credentials. So, rather than fearing OpenID being insecure, you really shouldn't trust Perlmonks security. So here it boils down to what OpenID provider you trust.

    I haven't seen stories where OpenID was spoofed (if you have stories, please let me know). I can only think of DNS attacks (?).

    --
    b10m

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://713190]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (9)
As of 2024-03-28 09:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found