Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: PerlMonks OpenID provider?

by b10m (Vicar)
on Sep 23, 2008 at 09:02 UTC ( #713170=note: print w/ replies, xml ) Need Help??


in reply to Re^2: PerlMonks OpenID provider?
in thread PerlMonks OpenID provider?

"I mean, do you really want to trust Bob's Computer Shop to allow logins to your site?"

Why wouldn't you? For the average site (like the one mentioned in the OP), it really doesn't matter who handles authentication (not authorization). Now let's leave banks and websites like that out of the question. Digg? Slashdot? Perlmonks? JoeSchmoe-Forum? Does it really matter who handles authentication?

Sure, Bob's Computer Shop could be faking credentials, but with regular password based authentication on your own site, you're really no better off. (Palin's Yahoo! mailbox anyone?). With sites like bugmenot.com, password based authentication is definitely no better IMHO.

But I'd like to hear some arguments of the "haters" :)

--
b10m


Comment on Re: PerlMonks OpenID provider?
Re^2: PerlMonks OpenID provider?
by moritz (Cardinal) on Sep 23, 2008 at 10:40 UTC
    Why wouldn't you? For the average site (like the one mentioned in the OP), it really doesn't matter who handles authentication (not authorization). Now let's leave banks and websites like that out of the question. Digg? Slashdot? Perlmonks? JoeSchmoe-Forum? Does it really matter who handles authentication?
    To me it does matter. If it's not secure, somebody could easily log in as moritz, and with a few writeups could destroy the reputation (and perhaps even trust) that I built by writing more than 2000 posts. (By reputation I don't mean XP right now).

    Loosing the account would be very bitter, and I'm quite sure that frequent users of other sites think similarly.

    If a site isn't important to you, you can post as Anonymous Monk or "Anonymous Coward" or with a bugmenot account. If it is important to you, then security matters for you.

      "To me it does matter. If it's not secure, somebody could easily log in as moritz, and with a few writeups could destroy the reputation (and perhaps even trust) that I built by writing more than 2000 posts."

      Right, I see why having your account broken into is something that bothers you (and me), but that could happen in any other form as well (again: Yahoo! Palin. Mail). First of all, the "attacker" has to guess which provider you used (obscurity, yes never good). In this case, Perlmonks would be an easy guess.

      Secondly, the "attacker" needed to somehow authenticate at Perlmonks with your credentials. So, rather than fearing OpenID being insecure, you really shouldn't trust Perlmonks security. So here it boils down to what OpenID provider you trust.

      I haven't seen stories where OpenID was spoofed (if you have stories, please let me know). I can only think of DNS attacks (?).

      --
      b10m
Re^2: PerlMonks OpenID provider?
by mr_mischief (Prior) on Sep 23, 2008 at 14:17 UTC
    Flippantly calling people "haters" because they see legitimate flaws in something you like is as offensive and juvenile as calling people "fanbois" because they see legitimate benefits in something you dislike.

    The difference between OpenID and independent authentication is that if PM was compromised as an independent site, just PM is affected. If it was compromised as an OpenID provider, then everyone who accepts its authentication information is affected until the situation is noticed.

    It makes OpenID providers sweet targets not just for what their sites offer on-site, but for who trusts their credentials. The consumer as the real target of an attack will not just have their own software and network as attack vectors, but all the software and all the networks of every site they trust. When the weakest one falls, there are people with illegitimate access to the real target even if their security was otherwise flawless.

    I'll use your example of Governor Palin's weak password which was guessed by the son of a political rival. We can either have the Governor's personal email compromised and stop at that, or we can have some punk kid posting all over the Internet as the Governor of Alaska for a couple of days before people realize what is happening. I certainly know which I prefer.

    It's bad enough that by having all of Yahoo under one login structure he could have impersonated her rather than exposing her email messages. This kid could have signed her up for personal ads and joined potentially objectionable discussion groups. He could have participated in sexually charged chat as her in the chat rooms and used Yahoo messenger to start flirting with state interns. Then, instead of showing that her account was compromised, he could have just announced what the account had done and who the account holder was. That could have been a much bigger political scandal than what came to pass.

      "Flippantly calling people "haters" because they see legitimate flaws in something you like is as offensive and juvenile as calling people "fanbois" because they see legitimate benefits in something you dislike."

      Oh relax. I was merely referring to the first comments that used the "hate" stigma. In fact, I'm tremendously interested in the arguments against OpenID and you raise valid concerns. And for the record, I'm not a "fanboi", I'm stuck in the middle, slightly in favour, cause at this point, I don't see many obstacles.

      "The difference between OpenID and independent authentication is that if PM was compromised as an independent site, just PM is affected. If it was compromised as an OpenID provider, then everyone who accepts its authentication information is affected until the situation is noticed."

      Here you have a valid concern. The single point of failure isn't nice, I fully agree. Yet I don't hear these concerns too often with, e.g. SSH's authorized_keys. Other single points of failure are of course one password for all sites (happens too often), one mail account signing up (so compromising the mailbox could potentially help one access many other sites), stored passwords in browsers etc.

      A positive thing would be that OpenID could take away the threshold of people signing up to sites, like Perlmonks (if it'd start accepting it, rather than offering provider services). Granted, if Perlmonks would only offer the provider service, this argument makes close to no sense.

      I haven't looked at the OpenID specs in close detail, but do seem to remember you can also delegate the provider service. (ah, it indeed is possible). Maybe that would be an option for Perlmonks then (?). A small adjustment to the home node would seem enough. This would take away the increased risk of attacks on this site; the bandwidth increase would be minimal and it'd still offer the OP a way to authenticate using his/her Perlmonks homenode.

      OpenID is a growing thing (whether we like it or not). Look at Yahoo!, Google (and more Google through Blogger), AOL and others. Discussing it here isn't necessarily a bad thing, IMHO.

      --
      b10m
        "Oh relax."

        Please don't pretend to know my mental or emotional state from a matter-of-fact comment I made.

        If you haven't heard of the weaknesses of ssh shared keys, then you probably haven't read much about Unix system security. It's a quite liberally discussed topic. If one machine on a network is compromised, then it's a network-wide problem. This is especially the case when using host keys rather than or in addition to user account keys. Guess which one OpenID is more like.

        A trend does not a good idea make. There used to be paper dresses, and DDT used to be a popular pesticide. I think the classic parenting tip here is, "If Yahoo and Google jumped off a bridge, would you jump, too?"

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://713170]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (10)
As of 2014-07-22 22:29 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (129 votes), past polls