AOL Now Supports OpenID 163
Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."
redundant acronym syndrome RAS (Score:5, Funny)
Re: (Score:2, Funny)
RAS syndrome and U.S. trademark law (Score:5, Informative)
The joke is often repeated. But U.S. trademark law may help explain RAS syndrome. Trademarks are adjectives and should be used with a generic term, even if they contain an abbreviation of the generic term. Hence "TCBY yogurt" even though "TCBY" is "the country's best yogurt", "DC comics" even though "DC" was "detective comics", "SAT reasoning test" even though "SAT" was "scholastic aptitude test", and "SPAM luncheon meat" even though "SPAM" stood for "specially processed assorted meat" at one time. Writers pressured by trademark owners to include the generic terms in their copy tend to overextend the habit of abbreviation + generic even to cases where the abbreviation is not a trademark.
Another cause is to disambiguate homophonic or homographic acronyms. "Put your PIN in the computer" could be misheard as "put your pin (or pen) in the computer", which could damage the machine. "Put your PIN number in the computer" has one interpretation.
Re: (Score:3, Informative)
http://en.wikipedia.org/wiki/Spam_(food) [wikipedia.org]
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
Re: (Score:2)
Good point. Lets start calling it PAN instead
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
I can't get too excited about it myself, though. Calling it "an OpenID" is fine by me!
Cool... (Score:4, Funny)
Re: (Score:3, Insightful)
Not cool (Score:4, Interesting)
Anyway, then, as kids are wont to do, they have followed it up with a series of new specifications, each one more complicated than the last. There are five specifications in draft form right now, each to cover some different aspect of what should be a fairly simple protocol. They reference and make use of HTTP, HTML, XHTML, XML, XRIs, XRDS, S/MIME, XSLT, and some other, similar ID specification called Yadis. Implementing all this thing requires gobs of software libraries (each with security holes and bugs) and expertise (and who has time to learn the latest X??? spec?). And we're supposed to believe that it's possible to do this securely? We can barely make secure web servers, much less SSI systems which require almost 100 pages of specifications, plus thousands of pages of supporting specifications!
What's sad is that the authors are not just a couple of kids that discovered XML and had a field day. The authors are associated with companies. The primary author works for VeriSign. Presumably, he should know better than to make such a jumbled mess.
But I think we all know what's really going on here. These idiots put together an incomprehensible specification. It is poorly defined, ambigious, and relies on lots of supporting technologies. It is impossible to implement securely, completely, and correctly. Security holes and interoperability issues will be the only real standard. And guess whose jobs are secure? Guess who gets lots of contracting jobs? Guess who is needed to write new specifications so that they can get it Right the next time?
It's too late to turn this one around. Hopefully OpenID will die a horrible death and we'll never hear of it again. But please, please, if anyone else reading this feels compelled to write a specification in the future, learn from OpenID's mistakes and keep it simple, stupid. Because OpenID is setting itself up for disaster.
Re: (Score:2)
Re: (Score:2)
Why would we want OpenID? (Score:5, Insightful)
Or: how is this different from Passport (Score:2, Interesting)
So, it's more modern and has a little shiny "Open" sticker on the side, but the challenges are identical IMHO.
Re:Or: how is this different from Passport (Score:5, Informative)
Re: (Score:2)
Re: (Score:3, Informative)
You don't end up with any more reason to trust me than if I had used a random
Re: (Score:3, Informative)
Still leaves the trust matter unanswered.. (Score:2)
So you've got nothing to hide? Fine, would you appreciate being followe
Re: (Score:2)
People want single sign on because it's an easier option than remembering 47 unique and secure username:password pairs, and much more secure than sharing usernames/passwords for multiple accounts.
Not more secure.. (Score:2)
Maybe my standards are too high, but it doesn't feel like a very good idea to me other than for very low value sites (i.e. those with no mo
Re: (Score:2)
However, I know lots of people who use the same password in all the places they don't really care about (websites like slashdot). For them a compromise of any compromises all (and a compromise could be, the person running the site takes a peak). The idea is the single sign on should be more secure than any individual site would be. And since you used the same password everywhere anyway that results in higher security.
O
Re: (Score:2)
Nope. Look at this from the individual's perspective, and from the server's perspective:
From the individual's point of view, you can casually create digital identities: no server has anything to correlate with that you don't want to give them, because making a digital identity is easy. Your privacy is as secure as you want to keep it.
From the server's point of view: you can demand any criteria you like. No doubt there will be OpenID servers that support financial transactions by guaranteeing all digita
So, what's wrong with the Web of Trust? (Score:2)
I should know because I was one of the people authenticated into the system by Mark, but I must log in and update my data
Re: (Score:2)
Re: (Score:2)
And what's to prevent the sharing of various openid logins with anyone and everyone? Nada
Re: (Score:2, Informative)
[...] your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider). [...] From http://openid.net/ [openid.net]
Which means the centralized database of your browsing habits would be on your own server. With browser history, this already exists. Sure, OpenID may not be suitable for online banking, but it would sure make things easier when it comes to making one or two posts on a forum you're rarely going to visit.
Re: (Score:2)
Re:Why would we want OpenID? (Score:5, Insightful)
Re: Why would we want OpenID? (Score:5, Interesting)
Of course, many here on Slashdot could probably set up their own OpenID server that has a unique identifier for each site, but how many do you think {are going to/are able to} do that -- especially among AOL users?
Re: (Score:2)
So set up your own OpenID server, and offer it free to AOL users who aren't savvy enough to do it themselves. Explain to them why they should trust you more than they trust AOL. If they want to they could use your server just as easily as they use AOL's.
OpenID makes identity portable, which
Re: (Score:2)
Re: (Score:2)
There are very few websites I go to where I actually care that much about privacy, such as my bank, and anywhere I purchase things. If all the other sites adopted OpenID, my life would be a little easier.
Re: (Score:2)
Single sign-on across the internet is a bad idea. As more sites require it, people's web browsing habits will be tracked on an unprecedented scale. Seriously, what benefit does it provide?
This isn't aimed at e-commerce sites, it's aimed at blogs. And it doesn't associate your browsing habits with a person, it associates them with a webpage. What it allows for is authentication and attribution of comments, articles and the like so that you know that you're talking to the same person throughout an exchange, wherever that takes place. Your bank isn't interested in knowing whether you really own fred13.blogsite.com, only in whether you're the owner of the account, so they won't be interested i
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
To continue your analogy, I wouldn't necessarily want to publish my girlfriend's name on the soap-making forums I frequent, even if I considered it silly to avoid mentioning it on, say, a friend's personal blog. As the internet is organized today, this is less of a problem because identities are not interlinked by defaul
Re: (Score:2, Informative)
Because two different people couldn't possibly use the same username at different locations, of course.
-:sigma.SB
Re: (Score:3, Insightful)
Nothing, that's why OpenID is really no better or worse than the status quo when it comes to privacy.
Re:Why would we want OpenID? (Score:4, Funny)
From TFS:
Brings back thoughts of eternal september
-nB
OpenID vs OpenPrivacy? (Score:2)
Re:OpenID vs OpenPrivacy? (Score:5, Insightful)
Basically, OpenID provides for distributed authentication.
IMO, what makes OpenID interesting is that in the 2.0 protocol, XRI (i-names) have been included, which opens the door to enabling selective, authenticated authorization of access to services, be it as simple as the ability to contact me (I would allow any parent of a child in my kid's pre-school class to phone me) or as complicated (eventually) as any contract you can imagine.
OpenPrivacy, on the other hand, assumes such services as a starting point, which is why I suspended development of OpenPrivacy in 2002 and began working on XRI/i-names. OpenPrivacy will use sophisticated techniques such as zero-knowledge proofs to enable distributed reputation providers and truly pseudonymous identities that cannot be traced to their owner (unless such verification is mutually requested), but it requires strong, secure identity as a starting point.
I look forward to creating grassroots i-names-enabled communities soon (starting in March, if all goes well) and eventually getting back to my OpenPrivacy roots - which is where (IMO) things start getting really interesting.
Don't drink the Kool-aid (Score:2)
Too bad it's all a bunch of complicated bullshit. We don't need it, and we don't want it. Want to know why? Seven different special symbols (@, +, =, !, $,
Re: OpenID vs OpenPrivacy? (Score:2)
OpenID, on the other hand, is simply authentication and nothing more. The idea is that you only need one OpenID account. Then, when you go to a website which requires logon
The problem with single sign-on... (Score:5, Insightful)
One major problem I see with this sort of initiative is spoofing of your provider's sign-in page. Unlike spoofing in its current form, if someone was able to get the password for your OpenID provider, he'll have access to every single one of the accounts you've used that ID with. It's putting all your eggs in one basket -- with the way everything is currently handled, your sign-on information to an individual site may be compromised, but you won't lose everything else.
Is there a solution to this kind of problem, or is OpenID really only targeted to low-risk authentication; i.e., for forums and social networking sites?
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
To put it in really simple terms, they'll get your username, but not your password.
By the way, we already have this problem. If someone steals your identity (social security number, etc), they can use that to gain access to most things you have, including your bank. The tr
Re: (Score:2)
OpenID is as secure as you make it; you control the "backend" and you choose how much it's going to do to check it's you before it tells the website that it is. If you want convenience, it might always authenticate you if you're on your home IP, or if you've got a particular cookie. If you want security, it could ask for a username and password, or 2-factor authentication. You could require you to digitally sign a random piece of plaintext, supply biometric data and scan in 3 proofs of address, the security
Re: (Score:2)
It's phishing time! (Score:5, Insightful)
Re:It's phishing time! (Score:4, Informative)
Re: It's phishing time! (Score:3, Interesting)
Christ. We're all doomed (Score:2)
Re: (Score:2)
Re:Christ. We're all doomed (Score:5, Informative)
Not just AOL users -- AIM users too (Score:4, Interesting)
Speaking of AIM... (Score:2)
That would leave only Yahoo and MSN...
But really, it seems obvious to me that they are not implementing OpenID because they like open standards. Otherwise, why aren't they actually using open standards elsewhere?
Re: (Score:2)
Implement an open standard when there is no compelling reason not to.
The fact that Jabber doesn't offer any advantage over their already implemented and established AIM protocol
might be a compelling reason for them not to sink resources into it.
Re: (Score:2)
Is there actually a compelling technical reason to use their AIM protocol instead of Jabber? Because I can think of a couple of compelling reasons to use Jabber instead of AIM.
Re: (Score:2)
Re: (Score:2)
Get it? Look at that nick closely...
I imagine "AOLamers", who can't even spell "you" properly, wouldn't notice that, either. And besides, what's stopping people from doing that already with email?
You are right about one thing, though: It's about control. If it was a fully open Jabber server, people might actually start switching off of AOL's servers, even if the majority of their buddy list is still on AOL -- which means eventually, fewer people that AOL can
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The way to deal with people who fall for phishing schemes is not to coddle them, but to let them get stung and hope that teaches them their lesson. Or we could simply start taking the warning labels off of things, and let natural selection take its course -- "Do not stop blade with hands or genitals."
Uh oh (Score:5, Funny)
I think I see the flaw in your plan.
Intranet (Score:2)
Just use SINs (Score:2)
DNS poisoning ... a genuine question (Score:2)
So, seriously, what stops this from being the most exploitable authentication system ever?
Dave
Re: (Score:2)
BTW, I think prominent OpenID providers like VeriSign, AOL, and SixApart can afford SSL certificates. Heck, VeriSign can give themselves a cert for free.
My problem with OpenID (Score:2)
1. I'm relying on a third party to authorize a person. A potentially untrusted third party. Some sites have credibility already (livejournal.com, aol.com even if AOL does suck), but as I understand it, ANYONE can create an OpenID server.
So, what's to stop someone from creating one that authorizes any username/password given to it?
2. It really messes up my database normalization. Handling local users and remote users would take more database tables,
Re: (Score:2)
Re: (Score:2)
Authentication infers authorization. You authenticate to gain authorization to do something.
Re: (Score:2)
1) Nothing. What's to stop someone from creating a new username and password each time they visit your site?
2) Don't work in terms of "local" users in your database. Work in terms of OpenID identities—or "remote" users as you put it. Require your local users to enter their full identity URI of http: //username.VGPowerlord.rofliron/[1]—or, as a shortcut, if only a username is entered, add the implicit domain name and hand the full, canonical identity URI to your login/logging/user-management
Re: (Score:2)
I believe someone elsewhere in the thread called this a "broken trust model." It's like SMTP all over again, except that SMTP was invented when every s
OpenID adoption (Score:2)
Re: (Score:2)
I think I see your problem. PHP libraries have numerous inconsistenceis, lack documentation, and have version conflicts.
Re: (Score:2)
Re: (Score:3, Insightful)
But they don't have to and never did (Score:2)
electro: electronic music
soccer: sport
tux: mascot of Linux
I've never had a problem getting this username registered anywhere.
The same goes with your password. Just cook up a sufficently secure password that is at least 12 characters long and then use it everywhere. Since you're going to be typing it in a lot, make sure it's easy t
Re: (Score:2)
Are you kidding me?
Hey, head off to my homepage, and register with your username, and your "use-everywhere" password. I'll have some fun once I've brute forced it. Perhaps my system stores the plaintext version? Or maybe I'll just sniff the HTTP, and see it there.
Re: (Score:2)
The only 'universal' IDs that aren't open to such an attacks are things like biometrics and one time pads.
This is the whole point (Score:5, Informative)
It seems OpenID prevents this problem. With OpenID the only thing you give to the websites you login to is your URL (such as https://aol.com/cooldude [aol.com] ). You can even give your URL to your enemies. You never give your OpenID password to any site except AOL, or if you run your own OpenID server, you never give your password to anyone at all. If I understand it right the whole encrypted procedure goes something like this:
You're trying to login to example.com
Example.com says: Who are you?
You say: I'm "https://aol.com/cooldude"
Example.com asks AOL: Is this guy really cooldude?
AOL sends a message to you asking: Example.com says you're trying to log on, is it really you?
You say to AOL: Yea it's me, here's my password to prove it.(AOL doesn't tell example.com your password. Also you save the hassle of entering your password for any site if you already logged in to AOL, like at the beginning of each day.)
AOL says to Example.com: Yes we verified it's cooldude.
Example.com says to you: Hi cooldude from aol.com, we've verified it's you again. Welcome.
Note that if you log into AOL at the beginning of the day, then for you this whole procedure boils down to you just entering your URL to login and then pressing a button from AOL to authorize the login.
Some advantages and disadvantages are:
You can use one username and password for every site and you only have to enter your password once a day.
If you used the same username and password at a lot of sites before, then with OpenID you don't have to worry about your password being compromised on one site by lax security or a crooked site owner(like a phisher) and then having your accounts compromised at all the other sites.
I'm not sure about the privacy issues. If your OpenID provider allows it(or if you set up your own server) you could set up an unlimited number of ID's (eg cooldude2, cooldude3, etc.) I don't see how you would be giving up any more privacy than any other system. And if your provider allows it you could save a lot of trouble and use the same password for all your IDs. Your OpenID provider could track which sites you log into, but you could just be your own provider or choose one you trust not to track you. Of course the sites you log into could require only certain OpenID providers like AOL, Microsoft, Verisign, etc. You might not be able to use your own server. Sites might only accept OpenIDs from providers that use strong identification, like Paypal's requirement that you control a checking account to be confirmed, because banks in the US are required by law to get ID before opening a checking account(says Paypal).
If sites only recognize OpenIDs from certain providers, at least the list of providers would likely be more inclusive than something like Microsoft Passport which has only one provider.
OpenID providers might differentiate themselves on their security. Verisign for example may try to claim that their OpenID service (if they had it) is secure enough to use for bank logins.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re:This is a huge blow to privacy on the net... (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Anyway, don't use OpenID, that's fine with me. 1996 called, they want you back.
Re: (Score:2, Insightful)
If I go to a blog and enter a comment with the name Kelly Clowers and give my website as www.clowersnet.net/~krc/, how do you know that I am really the Kelly Clowers who owns that website? This example is one of the original use cases for OpenID.
Now anyone can google Kelly Clowers and if an OpenID post turns up in the results, you can be fairly sure it was really the owner of www.clowersnet.net/~krc/ (which is presumably me, since that website specifically m
Re: (Score:2)
Re: (Score:2)
Decentralised of course - like the US approach of giving your SSN to everyone instead of only government departments.
Re: (Score:2)