It seems to me, that the OpenID is a pretty broken system.
- The problem(s) with OpenID
- Beginner's guide to OpenID phishing
- OpenID: Security Weaknesses and Phishing Vulnerabilities
- Security analysis of OpenID
Or simply: Search
Maybe OSM should consider to rather not support vulnerable security systems. I know, that it is optional for the users. But OSM kind of implies (or even warrants) that OpenID is to be trusted by offering OpenID as a solution. I am not sure if OpenID is to be generally trusted as a good solution for online identity. Seems like users can be fooled and phished too easily. My first impression: It better not be recommended it at all!
Please prove me wrong if anybody finds other news. Zeptomoon 14:16, 1 September 2011 (BST)
- It's not OpenID that's the issue here, all that it opens up is another way to arrange to end up being the man in the middle, it's not more or less phishing proof than loading my provider directly and having someone MITM the wire, or DNS poison etc. If your provider supports it it can be fishing proof by using SSL and the user knowing how to check the certificate or better yet SSL with client auth. But this is no worse than the login form on OSM itself as again it is not SSL encrypted, funny though, the wiki one is.
- Ewanm89 16:41, 9 December 2011 (UTC)