What are the security flaws of OpenID?
+3
A:
I don't know about flaws as such, but there are still some risks...
An attacker who gains access to your account at an OpenID provider may gain access to any site where you used that account to identify yourself. In this particular regard, re-using the same OpenID account for multiple sites has the same single point of failure as if you had re-used the same password across multiple sites and that password is compromised.
OpenID relies on the OpenID provider's DNS never to fall out of control of a trusted party or to be compromised in any way. If your OpenID provider goes out of business and their domain drops, then an attacker could take over that domain and gain access to any site at which you used that OpenID. Obviously if this is a major provider like Google or MyOpenID then this is less of a problem because they'll hold onto that domain, but this is something to watch out for with smaller providers, particularly blogs and the like which use delegation, where the service could just shut down in future, or they could terminate your account and re-allocate the address to someone else. And if you use delegation on your own domain name, you'd better ensure that you can't be hacked and you retain control of that domain name forever.
thomasrutter
2009-04-24 06:07:05