What are the dangers of using OpenID for your website?

Question

Let's say I create a website like StackOverFlow and decide to use OpenID. What's to prevent me, or anyone else for that matter, from phishing the ID's? That is, how can you truly know that any website is using OpenID and not pretending to? And how do you protect myself against this?

Expanding on this, let's say one site did compromise your openID credentials, couldn't they use it on every other site using openID (a global password hack)? Wouldn't then the security of your openID then only be as strong as the weakest website/provider?

Answer 1

All you enter is the ID, no password. The ID is public, therefore "phishing" it is not a security hole. See the Wikipedia article for a more detailed explanation.

Answer 2

When someone puts in an open ID at your site, you authenticate the user by going to the site where the user's open id lives (and only that site) and asking it if this user is okay. AOL can't validate a flickr open id, for example.

If the user is not currently authenticated at that site, authentication fails and you need to redirect to that site's login page. A real authentication still needs to happen.

So what changes for open id is that your site now needs to trust certain other sites- that they will accurately report status for their users.

Someone could set up a "malicious" open id provider, and try to skim off new ids that way, but that's between a user and the provider and such a provider wouldn't last long. A malicious provider would not be able to impersonate open ids that are registered with other providers.

A provider could also just always confirm any id passed to it for authentication. However, that would only effect users that registered with that provider. Any id registered with such a provider would be wide open, but if you use a different provider you would not be vulnerable. Again: such a provider wouldn't last long.

Answer 3

The OpenID sytem is very secure and gaining a lot of ground because of it.

The main downside I see is that if the OpenID provider of many of your users goes under, these users will be locked out of your site. Hence you should have a username/password backup plan, store their email address after validating it so that you can send them a password in case of emergency/catastrophe.

Answer 4

For users who know very little about how OpenID works, you could create a few spoof pages that look like the websites their OpenID is for (like, say, any of the free email providers that handle OpenID). If they forget to check the domain they're on before filling in their username and password, then evildomain now has their OpenID username and password.

On the server side, you're relying on external sites for identity verification. So, if there turns out to be a hole in provider XYZ's OpenID authentication form that lets the password "swordfish" work on any account, anyone can impersonate users from that provider anywhere that accepts OpenID.

allesklar made a good point while I was typing this that segues nicely to my last point: If you mix local and remote users, you suddenly need two ban lists instead of one; the second ban list for "bad" OpenID providers set up by people to create batches of accounts... or ones that automatically authorize any account name given to them.

Answer 5

Funny story. I found an exploit on SO that allowed me to change someone's profile entirely. If Jeff'd been using email+password, I could have owned his account, but because SO uses OpenID, there was nothing to do but change his Gavitar to something funny.

The bug in question was reported, fixed, and I'm still waiting on my Hacker badge. :P

Answer 6

The key here that scares me is just not owned his account on one website, but every website that uses openID!!!