For those Relying Parties (RP) that allow the user to specify the OpenID Provider (OP), it seems to me than anyone that knows or guesses your OpenID could
- Enter their own OP address.
- Have it validate them as owning your OpenID.
- Access your account on the RP.
The RP "could" take measures to prevent this by only allowing the OpenID to validated by the original OP, but...
- How do you know they do?
- You could never change your OP without also changing your OpenID.
OpenID is one of those systems where you have to trust the end-points. If the RP isn't trustworthy, then this kind of association poisoning is entirely possible. If the RP is actually trustworthy, then this kind of attack is MUCH harder. The 'work around' for not being vulnerable to this attack is to key the local security principle (on ServerFault this would be your username's representation in the back end database) with the foreign OpenID endpoint (the OpenID URL, ServerFault allows you to associate multiples of these).
You can still attack by way of a DNS poisoning attack on the RP's part, such that, say *.livejournal.com gets redirected to an OP you've specially crafted for the attack. But that's a DNS poisoning attack, not a fault in OpenID itself. OpenID is just vulnerable to DNS poisioning.
I think you're confusing OpenID and the other parts of User Security. Your OP is the authentication mechanism, not your account. Here on ServerFault, you have an account. That account has no means of authentication by itself; except you point it to one or more OPs.
Wheen you try to login to your Account here as SF, it asks your OP to handle Authentication. Only that one OP (or the multiple OPs, however you have it setup) can Authenticate you for the purposes of your SF Account.
There are three parts to a typical login system (called triple "A", or just "AAA"):
You can read more about AAA systems on Wikipedia.
David, your assumption is false. OpenID works like this: 1) You want to log in to site relyingparty.com 2) You give relyingparty.com your OpenID, e.g. david.com 3) relyingparty.com checks david.com (hey, it's a URL) for a so called OpenID endpoint which can be found at david.com but through means of delegation also somewhere else, e.g. yahoo.com or google.com. let's call it davidsopenidprovider.com 4) You're redirected to davidsopenidprovider.com now. davidsopenidprovider.com's job is to authenticate you. You have to log in to davidsopenidprovider.com. It is up to davidsopenidprovider.com how this login works. It can be username/password, it can be information cards, browser certificates, fingerprints, smart cards, out-of-band mechanisms like call verification,... It's up to davidsopenidprovider.com how it handles authentication. Then It asks if you really want to log in to relyingparty.com. 5) If you successfully logged in to davidsopenidprovider.com you will be redirected back to relyingparty.com and automatically logged in there. 6) davidsopenidprovider.com only assures relyingparty.com that you are who you claim you are. It doesn't send any password.
So your assumption "As a consumer, When I create an account on any-site.com, I have no notion of the intelligence of the developers / site managers." is false in regards to OpenID. If there's a weak point, it's the provider but not any-site.com. That's the problem with traditional username/password logins now. You have to trust each site which offers logins that way and not only one, your OpenID provider.
I hope this helps understanding OpenID.
The same way you know that any old site is passing along your password to someone else - you don't. That's why you use what's likely to be a reputable company.
Sure you can. Look into OpenID delegation.
My OpenID is http://ceejayoz.com/, but my OP is WordPress.com. Two
META
tags in the head of http://ceejayoz.com/ allow me to do this, and I can change it anytime I like.Your openID is your provider.
pwnguin.net
is my openID. This is not subject to guessing, it's simply a known fact. What protects my openID is the software running on pwnguin.net, which only replies in the affirmative if the visitor in question has a auth cookie.I won't say openID is secure; there's all kinds of cross site scripting that could go on, or some mundane details I tend to ignore or get wrong.
This is what I've garnered from the replies here...
OpenID is only as secure as the parties involved and that is true of any authentication method. I realized that before I started this discussion.
The issue with OpenID, as it seems to me is two-fold...
Your LoginID is no longer a secret shared only between you and the site you use it on. It is your OpenID and is known by every site you use it on, and is something easily guessable like an email address or something derived from your email address or something similar.
RP's may implement OpenIP on their site without doing due diligence assuming that because they are using a widely accepted 'protocol' that it is secure. Granted, most run-of-the-mill web site developers have no true concept of how to secure a site but, if they implement their own security, at least issue #1 doesn't come into play.
As a consumer, When I create an account on any-site.com, I have no notion of the intelligence of the developers / site managers. I use an ID that I don't think will be easily guessable. I don't want serverfault.com to know the ID I use to login to Etrade.com. I also use a different password on every site and manage those passwords with my own scheme. It is highly unlikely that my account will be comprised unless the site operatores are total idiots.
With OpenID, everyone in the WEB knows how it works and how to attack it, should the RP not have proper measures in place.
I love open source software, but in the case of OpenID I think it opens up the possibility that there will be inferior implementations available to unsuspecting adopters.
I think this could be all solved by some signed seal of approval that assures the consumer that the site has passed an audit and is not vurnurable to hacks.
Maybe I'm just paranoid.