David's questions -server

David

Asked: 2010-03-26 06:27:39 +0800 CST

Is OpenID this easy to hack or am I missing something?

For those Relying Parties (RP) that allow the user to specify the OpenID Provider (OP), it seems to me than anyone that knows or guesses your OpenID could

Enter their own OP address.
Have it validate them as owning your OpenID.
Access your account on the RP.

The RP "could" take measures to prevent this by only allowing the OpenID to validated by the original OP, but...

How do you know they do?
You could never change your OP without also changing your OpenID.

Is OpenID this easy to hack or am I missing something?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?