main
Report a problem

OpenID is an untrusted protocol, says Sun

franzon   via openid.sun.com on 10 August 2008 - 09:34 · 10 comments & 4843 views

Advertisement (Why?)
OpenID is an untrusted protocol. Sun has no liability for what happens to any information you give to a third-party web site using this service. Most OpenID-enabled sites are genuine but some may be phishers or other rogues. Sun currently has no way of distinguishing the good sites from the bad. Do not use the OpenID@Work service for any high-value, critical, or Sun proprietary information.

Link: OpenID at work - Sun

Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Unknown
User name: franzon
Contact: via forum PM
Submissions: View All
More: View Profile

Related news

 

Post a comment · Send to friend Comments · There are 10 additional comments
(2 replies) #1 Magallanes on 10 Aug 2008 - 12:00
So, what's the difference between this insecure protocol and paypal "protocol" or any other kind of "protocol" able to be phisher.
#1.1 leojei on 10 Aug 2008 - 13:57
The distinction between the "insecure" protocol and other stuffs like Paypal is that, Paypal do verify whether the site that wants to use its services for any transactions other than donations is a legitmate site or not. According to this article, Sun does not check the website that implements OpenID, which means OpenID is a platform that stores personal data and make them "wide-open" for anyone to tap in. The main difference lies on the company/backer of this OpenID thing, which is Sun (and other companies if any).
#1.2 Magallanes on 10 Aug 2008 - 21:07
(leojei said @ #1.1)
The distinction between the "insecure" protocol and other stuffs like Paypal is that, Paypal do verify whether the site that wants to use its services for any transactions other than donations is a legitmate site or not. According to this article, Sun does not check the website that implements OpenID, which means OpenID is a platform that stores personal data and make them "wide-open" for anyone to tap in. The main difference lies on the company/backer of this OpenID thing, which is Sun (and other companies if any).


Really?, so this sux!.
(4 replies) #2 nonick on 10 Aug 2008 - 14:11
Why the bold parts?
#2.1 vetmarkjensen on 10 Aug 2008 - 21:35
Because franzon doesn't like Sun (and Mozilla and others)?
#2.2 cork1958 on 11 Aug 2008 - 00:54
(markjensen said @ #2.1)
Because franzon doesn't like Sun (and Mozilla and others)?


Hey,
That franzon must be a relatively intelligent person!! Especially for disliking Sun.
#2.3 +vlsi0n on 11 Aug 2008 - 01:02
Makes it more dramatic.
#2.4 vetmarkjensen on 11 Aug 2008 - 11:13
(cork1958 said @ #2.2)
Hey,
That franzon must be a relatively intelligent person!! Especially for disliking Sun.
I never said anything to the contrary.

I do question this article, though. It is making this sound like a late-breaking update to a security flaw, which it isn't. If franzon decided to read up a bit more on this, he might have found the FAQ section.
Why do people call OpenID an untrusted protocol?

OpenID was designed to let you authenticate, but what you're really doing is proving that you own the rights to use a particular URL for a period of time. In this case, your OpenID identity, http://openid.sun.com/username. Any consumer site can accept or reject a login based on that identity, we have no influence over that, or over anything they do with your information once you've logged in to that site. They may be phishers trying to steal credit card information, or they may be a perfectly respectable site doing a good job of keeping your information private. We just don't know. We haven't signed contracts with any consumer site, and hence in a legal sense we can't trust them. This means you have to use your own instincts in deciding whether to give any site you log into with your Sun OpenID any information, or whether to log in there at all.
In short, this is non-news.
#3 HalcyonX12 on 10 Aug 2008 - 15:54
It should be untrusted, OpenID by design is supposed to be implemented everywhere, and obviously you can't trust each and every web site. But in order to have a default implementation that can be used everywhere, you can't discriminate on who can and can't use it. A true open ID system has to be able to withstand being passed through untrusted sources and still be effective. However that doesn't mean you shouldn't use it on trusted sites.

You should be able to lock down your own content and restrict access to your sites without being affected by what others do. I really don't know why Sun is avoiding this unless they are depending on obscurity for security. TCP/IP packets can be passed through untrusted sources and still be uncompromised if the proper measures are taken. You'd think Sun would have experience here...
#4 Kushan on 10 Aug 2008 - 20:36
OpenID isn't supposed to be "secure", it's simply meant to be a way of identifying yourself on other sites...
Like for example, if my OpenID is my LJ account, I can go on someone's myspace, leave a comment that links to my OpenID LJ account and that person will know it's me, even though I don't have a myspace account. That's it's purpose and you can run your OWN OpenID service if you really want to.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1390) © 2000 - 2008 Neowin.net