The Implications of OpenID
Loading...
Loading...
6,617
Link to this comment:
Share to:
Loading...
- 36:02The Thorium Molten-Salt Reactor: Why Didn't Thi...by GoogleTechTalks20,754 views
- 1:00:07SPDY Essentialsby GoogleTechTalks1,817 views
- 57:54Mobile Web Performanceby GoogleTechTalks6,120 views
- 29:04HCIR 2011: Human Computer Information Retrieval...by GoogleTechTalks368 views
- 8:23Part 2: OpenSocial, OpenID, FOAF, OpenSource, D...by TechnologyGoddess3,214 views
- 6:06OpenID Sample Site Video 2by esachs3,131 views
- 1:57Openid Loginby ahsantech1,534 views
- 0:38How to Create OpenID using Google Account Usern...by askmetips3,150 views
- 4:54How to login to sites using OpenIDby andrewfromfly39,380 views
- 4:34OpenID According to Daveby myvidoop58,028 views
- 2:08OpenID Block Module of Drupalby mihamakei1,509 views
- 23:05Does OpenID Work for the Enterprise?by JanrainVideos227 views
- 9:44Using Safari to Demonstrate WebID + OpenID Hybr...by kidehen301 views
- 6:28WebID + OpenID Hybrid Protocol Demo (Voice Edit...by kidehen400 views
- 7:24Chris Messina (OpenId Foundation)by replylivingnetwork390 views
- 2:11OpenID & OpenPlatformby nobuhiroseki375 views
- 4:06web2py Enterprise Web Frameworkby massimodipierro7,988 views
- 3:06g-speak - minority report os demoby casio1987vd146,719 views
- 1:36Creating an OpenIDby linuxjournalonline1,958 views
- 3:44OpenID & OpenPlatformby nobuhiroseki152 views
In addition to the problems mentioned in the video, note that there is a problem to exposing too many passwords to a user which relates to passwords being system codes, there is more on that on MeatballWiki.
Myrtone 1 year ago
@edgecrush3r se 17:30-18:30 in the video for the sollution for this question.
andjack 1 year ago
This is much worse because everything is centralized, so keeping different accounts still pay off. But yeah, its harder to manage.
edgecrush3r 2 years ago
I still not convinced about IDP spoofing, at all...
1. User visits a malicious RP page containing what looks like a regular OpenID login form.
2. User enters OpenID URL
3. Malicious RP redirects user to another page that looks like the user's OP (call this Fake-OP) using a proxy to load/modify the content.
4. Fake-OP asks user for password
User not noticing the difference from his usual OP, enters his password
5. Fake-OP now has user's password.
edgecrush3r 2 years ago
Meh! Get roboform!
DryBaboon 3 years ago
This is a great talk, and I had the same reaction to the phishing/credential stealing problem. He did sidestep around the actual problem, however, I realized a solution to this:
One Time Passwords. If your openID provider is hacked, they should only have the information required to authenticate you, not the secret information you have yourself. Look into technologies such as Yubico's Yubikey. Also, I'd hope any password auth provider would only store one-way hashes, not the pass itself.
XenTityX 3 years ago
I enjoyed the talk alot but i didnt like how he kinda kept avoiding interesting security issues with OpenID just by saying that the issues are already here. its not about whether or not openid is just as vulnerable as using ur email address across the internet and stuff. Its about what openid should do to combat this vulnerability. the whole "forgot my password" scam shouldnt be equivalent to openid, at least to me...
blackwire00 4 years ago
I would really like it too. Maybe trough gmail.
mikehc23 4 years ago
i'd really like to see Google start offering an OpenID service, and I could see Apple doing it as part of their .Mac service too.
The only big name right now is AOL, and I don't really like it.
zer0graph 4 years ago