OpenID Warns of Serious Remote Bug, Urges Upgrade 45
Trailrunner7 writes "The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem. The bug in OpenID lies in the system's Attribute Exchange, an extension that gives sites the ability to exchange identity information between endpoints. OpenID, an open source project that enables users to prove their identity to myriad sites without providing their passwords, is used by a slew of popular sites, including Google, Yahoo and Flickr."
RTF linked post (Score:4, Informative)
http://www.pingidentity.com/blogs/pingtalk/index.cfm/2011/5/5/Researchers-find-OpenID-vulnerability-sites-patch-hole
This only affects sites that use OpenID's AttributeExchange. If you just use it for authentication (and use the relying party's claimed identifier as the protocol advises) you are not/never were vulnerable.
Re:The concept of OpenID doesn't seem very secure (Score:2, Informative)
Given the average software developer's attention to security and the average company's attitude towards security, would you rather:
-Deal with the hassle of creating a new password for each site (possibly with some per-site algorithm, that with enough compromises, could be deduced), and the associated inconvenience of remembering them all
or:
-Put all your eggs in one basket with an OpenID provider that *does* take security seriously (Google, Yahoo, etc. can function as OpenID relying parties - and you can also use two factor authentication with Google now), so that basket is extremely well protected, and dodge the issue of giving random sites on the internet a password entirely?
Re:The concept of OpenID doesn't seem very secure (Score:4, Informative)
Re:The concept of OpenID doesn't seem very secure (Score:5, Informative)
Then you don't understand the concept.
OpenID allows you to keep your password AWAY from various sites. For example if I wanted to login to slashdot I can use any OpenID provider I want. This means that slashdot never gets my password. Slashdot gets a just-for-it token that my OpenID provider gives. If slashdot gets broken, no big deal that token can't be used for anything else, and my password is never released.
Guess what, I run my own OpenID provider so the only one to blame for loss of my authentication is myself. My own server is the only thing that gets the password and that exchange is done entirely over SSL.