MySpace Joins OpenID Coalition 272
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
Defeat the purpose? (Score:5, Insightful)
Blah Blah Blah... (Score:5, Insightful)
Mixed up Facebook and Myspace in TFS (Score:5, Insightful)
Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use
No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.
Jesus fucking Christ, is proof-reading really that hard?
Damned MS... (Score:2, Insightful)
Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.
With any luck some banks and credit cards will adopt this. So now you can have everything stolen from you with a single username/password combination that was probably lifted from you through a fake website or one of the dozens of account stealing malware bits that you installed to get "OMG Ponies Wallpaper & Pointers!". For bonus points, being able to pull a drive by install of malware to steal this account from a MySpace banner and then using that to steal all of their money, email addresses, and social webpages would be great. Bonus points if you manage to auction off all of their personal possesions through their ebay account and then keep the money through their paypal account.
Re:Problem (Score:4, Insightful)
Personally, I keep a different password and login for every place I sign in that either (1) contains personal information about me, or (2) on which I transact financial business (like a bank account).
For social sites and blogs, I guess, this wouldn't be a big deal to me. But as soon as PayPal or EBay sign up, I start to get real unsure of this as a concept.
Re:Defeat the purpose? (Score:5, Insightful)
OpenID? (Score:1, Insightful)
Who cares about a unified username/password "experience". A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?
I thought they would learn from that experience when you could have a set of car keys from a Ford in the UK (in the 1970's IIRC), and it would open all the other Ford cars. At least that's how my parents car was stolen. Now do the equivalent with an online profile.. madness.
Is 1 ID really wise? Single point of failure? (Score:4, Insightful)
Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.
Re:Defeat the purpose? (Score:5, Insightful)
Re:OpenID? (Score:4, Insightful)
> Who cares about a unified username/password "experience".
fair enough, but i think for many users it would be cool to have a unified identities across several sites. ie, so my MySpace social network could be parsed by YouTube or my favorite online game or what have you. Not saying it's for everyone, but there's certainly some value there for some.
Re:Microsoft Support (Score:5, Insightful)
They do, Passpoor or maybe its Windows Livid, or something like that I think its called :-)
The scary (and probably most likely) outcome is that MS embraces OpenID, adds a couple of you know, essential additions to it to support missing features that it absolutely requires for, say MSN Live Messenger, and then releases "OpenIDLive" which it touts as a completely standards-based* implementation of OpenID, just like it did with Kerberos.
Re:Microsoft Support (Score:2, Insightful)
Kind of a bad idea. (Score:2, Insightful)
...even if your data doesn't get stolen, doesn't get lost, and doesn't get compromised in any other way, this is a BadIdea(tm) from a privacy point of view.
Why? Because if you care about your privacy on-line, one single clue about who you are will give away who you are *everywhere* [on the websites using OpenID authentication]. Have your real name of Facebook? Everyone on the net will be able to find *your* MySpace, AOL, Yahoo, BlogThis and IMThat... account.
Even if you don't have your real name anywhere: you're still leaving a waaaay longer trail on the 'net than you're doing with a purpose-limited account. Anyone with a clue (and a sane cookie system, like Google) will sooner or later relate pretty much everything you do on the 'net to exactly *your* person. If you're really careful, then you *might* be able to keep those two words making up your name out of the game. But that's about the *only* thing that's not going to be known about your person...
Either that, or you'll keep creating 2, 3, or even more OpenID accounts -- one for each level of "privacy" you wish to enjoy. But then again, the need of having several OpenID accounts kinda kills the point of centralizing account management...
Privacy is not a matter of the information itself, it's a matter of how information is linked together (and/or to your person :-)
Re:Problem (Score:4, Insightful)
I know MyOpenID support using client side SSL certificates for authentication, although in that situation your login really is only as secure as your workstation.
Re:DO NOT WANT (Score:3, Insightful)
Ok. So don't use it. The fact is that many (most?) of us have one or two email accounts that we use for registration purposes. If our email was cracked then all of those registrations are toast. From what I've read, OpenID provides a way to replace this hack (email is not meant for personal identification... it's meant for communicating text efficiently) with a registration system that is as secure as the provider you choose to sign up with. There are providers that give you the same lack of security as email, there are providers that use certificates and fancy-schmancy secure communication, and there are providers that use hardware to verify who you are - you pick the level of security you want when you pick a provider.
And of course, if you really do want a seperate identity for each and every site for which you register, you're free to register multiple OpenID identities.
Basically, OpenID replaces an email address as a central identity. It provides all of the "ease" of using email addresses, but also provides a wealth of possible security improvements and, of course, single sign-on capabilities.
Re:Username Squatters? (Score:2, Insightful)
Re:DO NOT WANT (Score:5, Insightful)
And if only ONE of those websites is compromised, my login is now compromised across the board,
Take the trouble to read up on OpenID, and you'll find this is not the case. Having one site which you log in to compromised will not compromise the others. The only way you'd lose control of your openid identity is if your openID provider was compromised.
You can also select how much information you disclose to different sites, revoke permissions to certain sites, and choose more secure login methods like certificates.
Re:Is 1 ID really wise? Single point of failure? (Score:1, Insightful)
The thing is, most people don't have different usernames and passwords for each site. A ton of people use the same password for MySpace, Gmail, Amazon, work, school, their bank, etc. At least with OpenID most of these sites would not get to see your password.
It could be a single point of failure, but maybe that's not a bad thing when talking about protecting secrets like passwords?
Ok, the summary and article stinks (Score:3, Insightful)
GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.
You do NOT give OpenID all your passwords and logins.
It's not turning all those accounts over to a third-party and them giving you a single login and password.
It's using ONE account at MANY other sites in a limited form.
Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.
This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.
THAT'S IT.
I RFTS. I RTFA. I even went to the OpenID website [openid.net] to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.
Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.
I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)
Re:Damned MS... (Score:3, Insightful)
Public keys ? (Score:3, Insightful)
Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.
Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
Big Brother getting Lazy? (Score:1, Insightful)
Beware, gullible sheep, Big Brother wants to track all your web activities using a single "Open" ID, starting with personal data-mining sites like MySpace and Facebook. Isn't there enough tracking from ISPs, search engines, and large websites already?
This tracking is great for big brother, but sucks for the little man, who would prefer the anonymity of dynamic IP address, and multiple, fake online personas. This OpenID idea is stupid in concept, unless there is a malicious intent to spy on everyone.
Re:Web Monoculture (Score:5, Insightful)
It's just a little different from that. Let's look at a couple of scenarios.
Scenario 1: You have accounts all over the place. You use different passwords for each of them. You have multi-factor authentication for several of them.
This is pretty secure, but of course, you have to remember your passwords. You may have to carry around several dongles. If a site is hacked and the password on it is recoverable, only that site is hacked. This scenario, however, is unrealistic for the masses.
Scenario 2: You have accounts all over the place. They all have the same password. You probably don't have multi-factor authentication on any of them, but who knows--maybe your WoW account really is that important to you.
This is horrible security. If a site is hacked, the attacker now has access to your entire web presence. You'll be forced to change your password in dozens of places, and you're almost certain to forget a few.
Scenario 3: You have a single sign-on provider (like OpenID). You have accounts all over the place, but only a single password, stored on a single server. If that server is hacked, the attacker has access to all of your accounts for the time period that it takes you to realize the issue and change your authenticator to a new host. You don't have to remember a password for each site you visit. The individual sites never have access to your password. You may use multi-factor authentication on your OpenID site to reduce the liklihood that a hack will give carte blanche access to all of your accounts, and you don't have to carry around a dozen dongles to provide "something you have."
Do you see how Scenario 3 is a compromise between the two? Do you realize that Scenario 2 is how most people use the web? Scenario 3 is better security than what most people use, while maintaining the convenience. If you don't like the idea of using OpenID, you aren't forced to. You can create a new OpenID for every website you wish to use. OpenID allows for better security in a realistic world (where people reuse passwords) when, currently, the only other option is password-management Hell.
Re:Web Monoculture (Score:2, Insightful)
For sites that use your email address as your login, I hope that someone signing up for that service would not use their email password, In fact many people I know, who use ISP provided accounts, only knew their password when they set up Outlook Express. Gmail and its ilk are obviously a different story.
Scenario 2 assumes that people are able to get the same user id on every site they use. My experience is that this is not the case. Especially as the internet becomes utilized by a greater population simple or consistent id's are not available for long after a site comes into existence. So unless an attacker has been reading the autofill information in a victims browser preferences, he is probably not going to be able to access more than one or two sites.
I am not saying this is indicative of the mentality of internet users in general, but recently I was helping my mother with something that required a password and she was very conscious of the security of her password regardless of the fact that she is almost completely lost when it comes to most things computer related. Now admittedly I got the impression that she thinks her passwords are stored in a Caesar Cipher out in the open, but that does tell me security issues are filtering down to the masses.
You are correct in that OpenID does create a suitable compromise between Scenarios 1 and 2. However, once OpenID is commonly used there will be a new set of security problems that users are faced with. Even considering the limited success rate of fishing attacks, once a users OpenID is compromised, it becomes trivial to automate attacks on possible accounts across popular sites. Also, we are now relying on the reliability and integrity of a third party OpenID provider. It is easy to say "if you have doubts, move your OpenID", but that solution assumes anything but blind trust, which seems to be the default in many cases. It also assumes that if the OpenID server has been compromised that the user will become aware within a reasonable amount of time in order to minimize that damage done. Admittedly, if the damage is limited to someones blog and myspace account, really, who cares. But if that damage crosses over to financial and government accounts then it becomes a much bigger issue. I can't even imagine the lawsuit shit storm that befall some poor guy who decided to become an OpenID provider in that circumstance.
Re:Damned MS... (Score:3, Insightful)
"How in the freaking hell is a single sign on going to make it better?"
OpenID recognises two things:
1. The fact that the vast majority of people use (or try to use) the same password for every system they have. For the systems they can't use their preferred password for, they write the password on a sticky note, and put it on their monitor.
2. The fact that most people have a handful of important accounts (banking, mainly), and then a long tail of fairly trivial stuff. Somebody might cause you a lot of embarrassment if they got control of your Facebook account, but it's pretty easy to recover. Cases of insidious and subtle compromises leading to significant damage are in fact very rare.
In my view, OpenID is the intelligent solution to the long tail of personal security issues we see today. It is not a solution for high-security, but then high security is needed in only a small fraction of web use. What's stupid is perpetuating a multiplicity of accounts using the same password.
Incidentally, MS won't support OpenID because they have Passport. It's a corporate pride thing and has nothing to do with the quality, or otherwise, of OpenID.