Forgot your password?
typodupeerror
America Online Privacy Security The Internet

AOL Now Supports OpenID 163

Posted by Zonk
from the making-progress dept.
Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."
This discussion has been archived. No new comments can be posted.

AOL Now Supports OpenID

Comments Filter:
  • by cheros (223479) on Sunday February 18, 2007 @07:29PM (#18062788)
    OK, other than NOT being MS driven and a bit more open, where is OpenID conceptually different from Passport? I may have missed something here but it's again single sign on which concentrates your online identity into a single point of failure.

    So, it's more modern and has a little shiny "Open" sticker on the side, but the challenges are identical IMHO.
  • by gd23ka (324741) on Sunday February 18, 2007 @08:10PM (#18063022) Homepage
    Who else woke up this morning to smell the fascism?

    While it sounds like a great idea in fact... it is not. On the pro
    side people don't have to keep lists of their accounts and passwords
    across many sites and sites have a standardized mechanism to rely on... ... the balance immediately tips over to the negative once infrastructure
    like OpenID is established .. and then locked down and made mandatory.
    Think what it could be like when sites only accept OpenID authentication
    coming from certain sources like the provider your IP is originating
    from? Take it one step further, think what it would be like to authenticate
    with your OpenID URL to get onto the internet itself?

    The idea sucks and I didn't even get started on how it allows the operator
    of an OpenID authentication service to track which sites you go to.
  • The story is even bigger than the summary makes it out to be. It's not just AOL users who have an OpenID -- anyone who uses AOL Instant Messenger is included, too, as is anyone who uses AOL's "Journals" blogging platform. Both these services are free, and AIM especially is used by a far wider and more technical group of users than the term "AOL users" would suggest. (You /.ers who use AIM via Gaim, for example? You've got OpenIDs now.)
  • by Dolda2000 (759023) <fredrik.dolda2000@com> on Sunday February 18, 2007 @09:15PM (#18063370) Homepage
    The tracking doesn't primarily depend on the authentication server's ability to log whenever you authenticate, but rather that having single sign-on drastically increases your tendency to reuse the same identity on every website you log into. In other words, cross-site tracking be done much more reliably than before.

    Of course, many here on Slashdot could probably set up their own OpenID server that has a unique identifier for each site, but how many do you think {are going to/are able to} do that -- especially among AOL users?

  • by Dolda2000 (759023) <fredrik.dolda2000@com> on Sunday February 18, 2007 @09:51PM (#18063568) Homepage
    I'm not sure exactly what you're referring to, but I would argue it is the other way around. If you use OpenID to sign in to a spoofed site, you're safe, because they can't use that info to sign in to the real site themselves. If they're spoofing your OpenID server, then, to be honest, people would be fooled just as much or little as they would be without OpenID. On top of that, OpenID allows you to do neat things like SSL client certificate or Kerberos authentication or anything else that cannot be used by phishers any way. I would also think that some ISPs (like AOL) could use that to make client certificate authentication automatic for their users. That way, it may actually put an effective stop to phishing.
  • Not cool (Score:4, Interesting)

    by linuxmop (37039) on Monday February 19, 2007 @12:26AM (#18064216)
    Actually, the problem is that the OpenID specification is very poorly written and is extremely complicated. It's as though a couple of kids wanted to put together an RFC but didn't really understand how to express a specification is a logical form. If you don't believe me, just take a look; you'll see what I mean just by glancing through it: http://openid.net/specs/openid-authentication-1_1. txt [openid.net]

    Anyway, then, as kids are wont to do, they have followed it up with a series of new specifications, each one more complicated than the last. There are five specifications in draft form right now, each to cover some different aspect of what should be a fairly simple protocol. They reference and make use of HTTP, HTML, XHTML, XML, XRIs, XRDS, S/MIME, XSLT, and some other, similar ID specification called Yadis. Implementing all this thing requires gobs of software libraries (each with security holes and bugs) and expertise (and who has time to learn the latest X??? spec?). And we're supposed to believe that it's possible to do this securely? We can barely make secure web servers, much less SSI systems which require almost 100 pages of specifications, plus thousands of pages of supporting specifications!

    What's sad is that the authors are not just a couple of kids that discovered XML and had a field day. The authors are associated with companies. The primary author works for VeriSign. Presumably, he should know better than to make such a jumbled mess.

    But I think we all know what's really going on here. These idiots put together an incomprehensible specification. It is poorly defined, ambigious, and relies on lots of supporting technologies. It is impossible to implement securely, completely, and correctly. Security holes and interoperability issues will be the only real standard. And guess whose jobs are secure? Guess who gets lots of contracting jobs? Guess who is needed to write new specifications so that they can get it Right the next time?

    It's too late to turn this one around. Hopefully OpenID will die a horrible death and we'll never hear of it again. But please, please, if anyone else reading this feels compelled to write a specification in the future, learn from OpenID's mistakes and keep it simple, stupid. Because OpenID is setting itself up for disaster.

Repel them. Repel them. Induce them to relinquish the spheroid. - Indiana University fans' chant for their perennially bad football team

Working...