Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Software Upgrades IT

OpenID Warns of Serious Remote Bug, Urges Upgrade 45

Posted by timothy from the slew-of-myriads-of-plethoras dept.
Trailrunner7 writes "The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem. The bug in OpenID lies in the system's Attribute Exchange, an extension that gives sites the ability to exchange identity information between endpoints. OpenID, an open source project that enables users to prove their identity to myriad sites without providing their passwords, is used by a slew of popular sites, including Google, Yahoo and Flickr."
This discussion has been archived. No new comments can be posted.

OpenID Warns of Serious Remote Bug, Urges Upgrade More

OpenID Warns of Serious Remote Bug, Urges Upgrade

Comments Filter:

  • RTF linked post (Score:4, Informative)

    by Anonymous Coward on Saturday May 07, 2011 @08:42AM (#36055800)

    http://www.pingidentity.com/blogs/pingtalk/index.cfm/2011/5/5/Researchers-find-OpenID-vulnerability-sites-patch-hole

    This only affects sites that use OpenID's AttributeExchange. If you just use it for authentication (and use the relying party's claimed identifier as the protocol advises) you are not/never were vulnerable.

  • Re:The concept of OpenID doesn't seem very secure (Score:2, Informative)

    by Anonymous Coward on Saturday May 07, 2011 @09:06AM (#36055876)

    Given the average software developer's attention to security and the average company's attitude towards security, would you rather:

    -Deal with the hassle of creating a new password for each site (possibly with some per-site algorithm, that with enough compromises, could be deduced), and the associated inconvenience of remembering them all

    or:

    -Put all your eggs in one basket with an OpenID provider that *does* take security seriously (Google, Yahoo, etc. can function as OpenID relying parties - and you can also use two factor authentication with Google now), so that basket is extremely well protected, and dodge the issue of giving random sites on the internet a password entirely?

  • Re:The concept of OpenID doesn't seem very secure (Score:4, Informative)

    by meba ( 2025382 ) on Saturday May 07, 2011 @09:29AM (#36055950)
    There are ways... You can for example get a Yubi Key: http://www.yubico.com/yubikey [yubico.com], then get your own Drupal based OpenID provider: http://drupal.org/project/openid_provider [drupal.org] and use http://drupal.org/project/yubikey [drupal.org] module. Result? You host your own OpenID provider and everytime you want to use it, you need to have the Yubi Key - no one can steal your identity unless he steals your USB Key and your OTP

  • Re:The concept of OpenID doesn't seem very secure (Score:5, Informative)

    by SuperQ ( 431 ) * on Saturday May 07, 2011 @10:24AM (#36056148) Homepage

    Then you don't understand the concept.

    OpenID allows you to keep your password AWAY from various sites. For example if I wanted to login to slashdot I can use any OpenID provider I want. This means that slashdot never gets my password. Slashdot gets a just-for-it token that my OpenID provider gives. If slashdot gets broken, no big deal that token can't be used for anything else, and my password is never released.

    Guess what, I run my own OpenID provider so the only one to blame for loss of my authentication is myself. My own server is the only thing that gets the password and that exchange is done entirely over SSL.

Slashdot Top Deals

Never call a man a fool. Borrow from him.

Close