Log in

No account? Create an account
Giza aka Douglas Muth's LiveJournal
How OpenID works 
24th-Nov-2010 10:43 am
Leopard White Mage
Explained in two simple pictures:

(Images courtesy of the Coding Horror blog)

Any questions?

Really, OpenID is merely a way for a third party (Google, Twitter, Facebook, etc.) to tell the site you are visiting that you are in fact a specific user on that service.

Want to try logging into a site with OpenID credentials to see how it works? You can try that out on Anthrocon's site. I've got OpenID working over on PA-Furry.org, too!
24th-Nov-2010 03:50 pm (UTC)
I do not trust OpenID and I will never use it. Yes, a simple cookie sets my ID. But suppose my laptop gets stolen. Now this guy not only has all my sites and bookmarks, but is automatically logged in as me without even having to try to hack a password. And how do I turn that OpenID off when someone steals my laptop so the thief cannot impersonate me?
24th-Nov-2010 03:56 pm (UTC)

How is this different from being left logged into regular sites and your laptop gets stolen?

In the above scenario you describe, you log out of Twitter/Facebook/etc. from another terminal which should (in theory) kill any sessions you have. You then log back in and change your password for good measure.

If you want to have the ability to turn off your own OpenID, set up delegation. View the source of the page at http://www.dmuth.org/openid/ for an example of how easy this is to do. I use that OpenID to log into sites with. If something happens to my computer or laptop, my "emergency escape hatch" would be to remove that page until I get things locked down.

24th-Nov-2010 04:26 pm (UTC)
Simple: I don't stay logged in to any sites, and I have the computer set to not automatically log me in. The user name is auto- the password is not.

And I'm afraid I don't understand the instructions. I looked at the source and followed the stackoverflow link which directs me to add something to my google profile. Um... what google profile? I have a google profile, like it or not?
24th-Nov-2010 04:35 pm (UTC)

Did you go to http://www.google.com/profiles and click "view my profile"? (assuming you were logged in)
24th-Nov-2010 06:20 pm (UTC)
If you have Gmail, or use another Google service where you login, you have a Google account and thus a Google profile. It doesn't have to be public or even used, it's there.
24th-Nov-2010 05:47 pm (UTC)
What if I don't want the site I'm visiting to know that I'm a user on Google, or more importantly, vice versa? They track me enough as it is.
24th-Nov-2010 06:17 pm (UTC)

Use another OpenID provider, such as LJ?
24th-Nov-2010 06:32 pm (UTC)
such as SUP Fabrik?

Not that OpenID isn't a neat system, from a site admin point of view - instantly gain a large set of users by honoring an offsite form of authentication. But the whole idea of integrated identity is anathema to privacy. In recent years I've been a lot more conscious as to how much data I'm allowing to leak to which companies.
24th-Nov-2010 06:36 pm (UTC)

Maybe there's market for companies that offer "disposable OpenIDs" much like some credit card companies offer disposable card numbers that are tied to your real credit card number.
24th-Nov-2010 06:46 pm (UTC)
Wouldn't a more straightforward example be Livejournal? ;D
24th-Nov-2010 11:58 pm (UTC)
LJ's OpenID implementation is kinda messed up. It advertises support for 2.0, but doesn't support items sent via POST, which breaks support in the Drupal OpenID module. I had to hack the module to only send OpenID 1.x GET requests for LJ.
24th-Nov-2010 07:56 pm (UTC)

You're saying that if I log in with OpenID, my computer's stack will overflow in an exploitable way, and all of my Visa, Plus, Mastercard, etc, accounts will be transferred to Google, Yahoo, AOL, etc?

I admit it's a more direct wealth transfer system, but the more obscure and more gradual current wealth transfer system is less disconcerting. Though it admittedly results in the same thing.
25th-Nov-2010 12:02 am (UTC)
The idea is that the initial site never gets your credentials, or access to your account elsewhere - just confirmation from the authenticating site that you're a valid user, and perhaps some information like your name and picture (if it is setup to do that). That way you don't have to be entering passwords into sites that you don't trust.
25th-Nov-2010 04:36 am (UTC)
There's an old usenet saying that no humor can be so blatant that someone on the net won't take it seriously. ;)
25th-Nov-2010 04:40 am (UTC)
Well, you are a fox - Is it right to assume you understand the intricacies of third-party authentication. ;-)
25th-Nov-2010 05:15 am (UTC)
Alice, Bob, Trent and Eve are all old friends of mine, yes. :)
25th-Nov-2010 06:33 am (UTC)
Funny you should bring up OpenID and the StackOverflow family of sites. I've been making a lot of use of one for the last... oh 6 or so days, and I've found the use of OpenID has made it rather easy to use, more so as I can set up my account with two possible providers. Makes management easier.
This page was loaded Dec 10th 2018, 3:23 pm GMT.