27

I've been wondering. Since anybody can start an OpenID provider, and since there is no central authority that approves OpenID providers, why won't fake OpenID providers become a problem?

For example, a spammer could start an OpenID provider with a backdoor to let himself authenticate as any other user that was tricked into registering on his site. Is this possible? Is the provider's reputation the only thing that prevents this? Are we going to see OpenID provider blacklists and OpenID provider review sites in the future?

Probably I don't understand something about OpenID completely. Please enlighten me :)

amarillion
  • 1,409
  • 2
  • 16
  • 25

8 Answers8

16

It'd be pretty much the same as having "fake" email provider, that would hijack users confirmation emails etc. Only the reputation is preventing that. Poeple do register on gmail.com or hotmail.com, but do not register on joesixpack.org.

vartec
  • 6,137
  • 2
  • 32
  • 49
  • But they do register disposable e-mails on mailinator.com, and I'm looking myself for a disposable openid provider; I need register on a crappy site that requires openId, and I really don't care to register under my "real" G-account or FB. – dan3 Jun 19 '13 at 08:33
16

OpenID is NOT an intrinsically safe protocol - it doesn't have the power to force a rogue provider to provide security, nor does it 'vet' each provider to ensure they are secure.

OpenID is a mechanism whereby you can store your credentials with a trusted provider, and they will then verify you to others.

If you choose an untrustworthy provider, they can see and use everything you might use your credentials for.

OpenID is not a replacement for trust.

-Adam

Adam Davis
  • 5,366
  • 3
  • 36
  • 52
  • But isn't an implicit trust required for the system to work? If I accept Google and Yahoo OpenID credentials, and one of them becomes untrustworthy, then aren't I now in a situation where I cannot trust that my users are who they say they are? – duffbeer703 May 11 '09 at 20:09
  • 1
    OpenID isn't meant to verify that the user is anything to the client website. All it does is say, "The person that is signing in now is the same person that setup the -username- OpenID account here" which can be useful for centralized username/password tracking, but doesn't guarantee you anything about that user - merely that they had the appropriate credentials such that the OpenID provider is suitably convinced it's them. – Adam Davis May 11 '09 at 20:23
  • I am using the openid as a unique identifying string. Is there any possibility of a rogue provider giving me the same openid as some legit user on another provider, say Yahoo? – Jus12 Oct 25 '13 at 20:54
9

Jeff has a very nice (and lengthy) weblog post on this topic. If it doesn't answer your questions, it will certainly enlighten you. The comments also lead to very illustrative articles. Highly recommended.

2

There are some similar questions on stackoverflow.com that you might find interesting.

Community
  • 1
David Webb
  • 411
  • 3
  • 5
0

The only way I can see a "rogue" OpenID server being a problem isn't a web application security problem so much. What you are doing though is providing one website with your Identity. They tell people you are who you are, but they also have access to it. If a malicious person sets up an OpenID server and people start to use it, the owner of the malicious service could impersonate anybody using their server.

The question comes down to do you trust the owners of your OpenID server?

TrueDuality
  • 1,844
  • 5
  • 27
  • 37
0

My problem with OpenID in general is that it's new and there aren't any standards (that I've heard about anywhere anyway) that define what makes a "good" OpenID provider. For credit card data, there's PCI-DSS standards for managing credit card info -- but no equivalent for identity.

Granted, it's a new technology that is generally used for applications with minimal "trust" requirements. But on sites like ServerFault, I think that you need a level of trust that's greater than that of a blog, but less than that of bank or online broker.

duffbeer703
  • 20,077
  • 4
  • 30
  • 39
  • One potential framework for evaluating the suitability of an OpenID provider for your security needs is the Liberty Identity Assurance Framework, but there's currently very little awareness of this in the OpenID marketplace. http://www.projectliberty.org/strategic_initiatives/identity_assurance – keturn Aug 14 '09 at 19:44
0

Adding to previous answers. Don't know yet about OpenID blacklists, but there is a volunteer initiative on OpenID whitelists. That whitelist is a distributed technology (just like e-mail, DNS, HTTPS certs), there is no single point of failure, there is no single point of trust. You may trust some guys' whitelist and he can fake it.

There is an opinion that those whitelists must be extended to provide more information (not to anybody, of course), like user activity, number of posts, number of warnings from moderators, etc. Since OpenID is a global identity, that would help to almost-instantly spread information like this user is a spammer. Which would force spammers to always use a new id. Imagine that 1000 reputation on ServerFault makes you as well trusted user on thousands of other websites.

temoto
  • 137
  • 7
-2

To those who think OpenId consumers should let any OpenId provider be an authenticator, that's just crazy talk. Let's say you have a list of authorized users based on an email passed from openid providers. Some rogue person sets up their own OpenId provider service and knows the email of one of your previously authorized users. That rogue person could then 'authenticate' himself as your accepted user.

If you are trying to secure with openId, you must have a white list of providers you trust, otherwise you're pretty much wide open to anybody who knows how to setup a provider service.

Troy Jordan
  • 1
  • 3
    Your answer is incorrect. That's not how OpenID works. The OpenID provider does not pass the user's email address back to the site as the username. – longneck Feb 05 '13 at 16:45