OpenID: yes or no? |
2008-06-19
|
I remember being really enthusiastic about OpenID when I first learnt about it. I remember trying it out and, as many, being disappointed at the practical use (nobody was supporting it) but hopeful about the idea. I tried it out a bunch of times later, but today I'm still not really using it. I saw an excellent presentation by Simon Willison at Europython last year, but I'm still not using it.
And the reason, at least for the past year, is that I do not know whether the basic model is secure or not. I've read lots of pro and con posts, and it's gone so technical I don't know who to trust.
If I think about it logically myself, I'd say that I don't see the difference between the OpenID phishing scenario and the Paypal/bank phishing scenario:
- Some site uses OpenID and I want to log in
- said site redirects me instead to a fake site, that looks the same as my real site (either because I use a popular one, or because it actually connects to my real site and presents the same page)
- Any authentication information I enter on this phishing site is thus known to the phisher
I seem to extract from all I've read before that there is a general consensus that this is a real threat, and that OpenID people feel this is not the problem they should be solving - that it is up to OpenID providers to solve this.
But if I were to put online a website that uses OpenID and handwaves phishing problems away to the providers, while simultaneously allowing all OpenID providers, I'd feel bad about teaching my users that it's fine to follow OpenID links and type in passwords.
So, homework for today - can someone tell me in simple terms:
- if there is something wrong with my simple interpretation of the phishing problem, or if it is in fact real ?
- What I should be doing if I were to create a website that wants to use OpenID, and I actually care about my users ?
Too much of all of this discussion around OpenID focuses around whether or not it's OpenID's job to solve this problem, whether it is insecure, whether it promotes phishing, and so on. But none of the discussion focuses on what you should actually *do* when you care about making it easy for people to use your site while keeping security good enough.
Someone smart on the topic care to tell me what I should be doing as a website maker, and as a potential OpenID user on other websites ?