OpenID is an untrusted protocol, says Sun

OpenID is an untrusted protocol. Sun has no liability for what happens to any information you give to a third-party web site using this service. Most OpenID-enabled sites are genuine but some may be phishers or other rogues. Sun currently has no way of distinguishing the good sites from the bad. Do not use the OpenID@Work service for any high-value, critical, or Sun proprietary information.

Link: OpenID at work - Sun

Report a problem with article
Previous Story

Visiontek Radeon HD 4870 review

Next Story

Neowin news round-up for week ending 10 Aug

10 Comments

Commenting is disabled on this article.

OpenID isn't supposed to be "secure", it's simply meant to be a way of identifying yourself on other sites...
Like for example, if my OpenID is my LJ account, I can go on someone's myspace, leave a comment that links to my OpenID LJ account and that person will know it's me, even though I don't have a myspace account. That's it's purpose and you can run your OWN OpenID service if you really want to.

It should be untrusted, OpenID by design is supposed to be implemented everywhere, and obviously you can't trust each and every web site. But in order to have a default implementation that can be used everywhere, you can't discriminate on who can and can't use it. A true open ID system has to be able to withstand being passed through untrusted sources and still be effective. However that doesn't mean you shouldn't use it on trusted sites.

You should be able to lock down your own content and restrict access to your sites without being affected by what others do. I really don't know why Sun is avoiding this unless they are depending on obscurity for security. TCP/IP packets can be passed through untrusted sources and still be uncompromised if the proper measures are taken. You'd think Sun would have experience here...

(markjensen said @ #2.1)
Because franzon doesn't like Sun (and Mozilla and others)?

Hey,
That franzon must be a relatively intelligent person!! Especially for disliking Sun.

(cork1958 said @ #2.2)
Hey,
That franzon must be a relatively intelligent person!! Especially for disliking Sun. :rolleyes:
I never said anything to the contrary.

I do question this article, though. It is making this sound like a late-breaking update to a security flaw, which it isn't. If franzon decided to read up a bit more on this, he might have found the FAQ section.

Why do people call OpenID an untrusted protocol?

OpenID was designed to let you authenticate, but what you're really doing is proving that you own the rights to use a particular URL for a period of time. In this case, your OpenID identity, http://openid.sun.com/username. Any consumer site can accept or reject a login based on that identity, we have no influence over that, or over anything they do with your information once you've logged in to that site. They may be phishers trying to steal credit card information, or they may be a perfectly respectable site doing a good job of keeping your information private. We just don't know. We haven't signed contracts with any consumer site, and hence in a legal sense we can't trust them. This means you have to use your own instincts in deciding whether to give any site you log into with your Sun OpenID any information, or whether to log in there at all.

In short, this is non-news.

So, what's the difference between this insecure protocol and paypal "protocol" or any other kind of "protocol" able to be phisher.

The distinction between the "insecure" protocol and other stuffs like Paypal is that, Paypal do verify whether the site that wants to use its services for any transactions other than donations is a legitmate site or not. According to this article, Sun does not check the website that implements OpenID, which means OpenID is a platform that stores personal data and make them "wide-open" for anyone to tap in. The main difference lies on the company/backer of this OpenID thing, which is Sun (and other companies if any).

(leojei said @ #1.1)
The distinction between the "insecure" protocol and other stuffs like Paypal is that, Paypal do verify whether the site that wants to use its services for any transactions other than donations is a legitmate site or not. According to this article, Sun does not check the website that implements OpenID, which means OpenID is a platform that stores personal data and make them "wide-open" for anyone to tap in. The main difference lies on the company/backer of this OpenID thing, which is Sun (and other companies if any).

Really?, so this sux!.