问题
Let's say I create a website like StackOverFlow and decide to use OpenID. What's to prevent me, or anyone else for that matter, from phishing the ID's? That is, how can you truly know that any website is using OpenID and not pretending to? And how do you protect myself against this?
Expanding on this, let's say one site did compromise your openID credentials, couldn't they use it on every other site using openID (a global password hack)? Wouldn't then the security of your openID then only be as strong as the weakest website/provider?
回答1:
All you enter is the ID, no password. The ID is public, therefore "phishing" it is not a security hole. Some providers even use the same ID for all users, for instance the ID for a google account is always https://www.google.com/accounts/o8/id. See the Wikipedia article for a more detailed explanation.
回答2:
For users who know very little about how OpenID works, you could create a few spoof pages that look like the websites their OpenID is for (like, say, any of the free email providers that handle OpenID). If they forget to check the domain they're on before filling in their username and password, then evildomain now has their OpenID username and password.
On the server side, you're relying on external sites for identity verification. So, if there turns out to be a hole in provider XYZ's OpenID authentication form that lets the password "swordfish" work on any account, anyone can impersonate users from that provider anywhere that accepts OpenID.
allesklar made a good point while I was typing this that segues nicely to my last point: If you mix local and remote users, you suddenly need two ban lists instead of one; the second ban list for "bad" OpenID providers set up by people to create batches of accounts... or ones that automatically authorize any account name given to them.
回答3:
When someone puts in an open ID at your site, you authenticate the user by asking the site where the user's OpenID lives (and only that site) if this user is okay. AOL can't validate a Yahoo OpenID, for example.
If the user is not already authenticated at that site, authentication fails and you need to redirect to that site's login page. A real authentication still needs to happen, but it always happens with the OpenID provider for that user. As a user, you are protected because you should only ever see the login page you are familiar with. A malicious site will have a hard time siphoning OpenID credentials, because users never give those sites their passwords directly.
Once the user is authenticated with their provider (or if they are from the get-go), the provider will report this to your web site. What changes for OpenID is that your site now needs to trust certain other sites- that they will accurately report status for their users.
Someone could set up a "malicious" open id provider, and try to skim off new ids that way, but that's between a user and the provider. Since this authentication is all about reputation, the idea is that such a provider wouldn't stay in business for long. If nothing else, sites could blacklist those providers. A malicious provider would not be able to impersonate open ids that are registered with other providers.
Another possibility for a malicious provider is to set up an OpenID service that simply always confirms any id passed to it for authentication (or allows an administrator to setup a back door for it's users). However, that would only effect users that registered with that provider. Again, sites could blacklist these providers, and as they bank on reputation the idea that wouldn't stay in business long still holds.
回答4:
The OpenID sytem is very secure and gaining a lot of ground because of it.
The main downside I see is that if the OpenID provider of many of your users goes under, these users will be locked out of your site. Hence you should have a username/password backup plan, store their email address after validating it so that you can send them a password in case of emergency/catastrophe.
回答5:
Funny story. I found an exploit on SO that allowed me to change someone's profile entirely. If Jeff'd been using email+password, I could have owned his account, but because SO uses OpenID, there was nothing to do but change his Gavitar to something funny.
The bug in question was reported, fixed, and I'm still waiting on my Hacker badge. :P
回答6:
The key here that scares me is just not owned his account on one website, but every website that uses openID!!!
来源:https://stackoverflow.com/questions/318677/what-are-the-dangers-of-using-openid-for-your-website