Jun 24 2008
Last year Michael Santarcangelo and I organized a Security Roundtable with Dan York to discuss OpenID. All three of us like the technology, we like the idea, but we decided that OpenID is only for sites and systems where a compromise would be of little or no concern. In other words, it’s a great project for verifying commenter’s ID ‘s when posting to your website, but it’s not such a great authentication method for logging into your blog yourself. And now Dana Epp has discovered that Six Apart (makers of Movable Type) feel the same way.
I understand Dana’s desire to use OpenID as an authentication for his blog, but that’s not what it was meant for. After all, the setup of an OpenID account is fairly simple and merely requires putting a code snippet on a website or blog you control (Please correct me if I’m wrong, I haven’t setup or used an OpenID account in over a year. Which is a telling stat in itself). Given the rate of web server compromises, that’s not a very high bar for a hacker to have to hurdle to compromise an ID. If all you’re using your ID for is commenting on various blogs, that’s not a big deal, but when you start using it for more serious authentication, that becomes a much more important concern.
I’m glad that an organization like Movable Type understands the limitations of OpenID. While I’m sure some comment spammers are trying to break OpenID, the majority of the bad guys are probably ignoring it as a low impact authentication method. It would be nice to have a way to verify your identity across the Internet, but the reality is any identification method that becomes used in more important targets is going to become the target of intense attack. I’d rather see the people behind OpenID understanding the limitations of their project and treat it appropriately. There are already too many projects that shoot for the stars and end up falling flat on their faces.