7March
While leafing through IT Veek this week (we read it for the pictures of servers on page three), our eye was caught by Tim Anderson's column. The headline..
Open Id still open to abuse
Excitement about an open-source single sign-on scheme must not trump security concerns
It's the thick end of two years since Bradley Fitzpatrick, fresh from selling Livejournal to a bunch of spammers and shysters for USD 20 million (then €16,000), announced to the world that he had invented a new, all-singing, all-dancing, federated identity confirmation system, YADIS. Mr. Fitzpatrick's original ambition was to provide limited integration between different blogging platforms, by means of an I don't know the validity of this person, but I know a server that does mechanism. YADIS was nothing particularly ground-breaking, but thanks to Mr. Fitzpatrick's employment by a bunch of shysters, YADIS (since re-named Open Id) has the backing of a bunch of media harlots, and has some very moderate success.
Some of us found the idea less than compelling. I don't find distinct sign-ons [for distinct sites] in any way "lame"... I'd be more worried if distinct sites were to share logons, it's a greater privacy risk.
Fast-forward two years, and the computer journalists are playing catch-up. Here's a shortened version of Tim Anderson's column.
Kevin Rose of Digg announced that his site will support OpenID (sic) authentication. This follows AOL’s recent announcement that any AOL username can be used as an OpenID, and Microsoft’s declared intention to integrate OpenID with Windows CardSpace. Simon Willison, formerly of Yahoo, gave a presentation on the advantages of single sign-on and the potential of OpenID to help combat comment spam and other evils.
Single sign-on would be a huge convenience. Just this morning I completed three web registration forms, each requiring new usernames and passwords, to download trial software.
Unfortunately, there are several problems with OpenID. One is its vulnerability to phishing. A user trying to log on to a site that claimed to support OpenID might be typing username and password details into a forged page. Another weakness is that OpenID depends on the URL identifier routing to the correct machine on the internet. This, in turn, depends on DNS, the system by which names are mapped to internet addresses, which is known to have security weaknesses.
The OpenID specification does not even insist on Transport Layer Security (TLS) for every web site that participates in the authentication process. It allows properly secured authentication, but does not insist on it, which is a missed opportunity. The snag with any single sign-on scheme is that if the credentials are stolen, the thief gets access to many accounts, not just one.
OpenID is not a cure-all. It is suitable for commenting on blogs or registering for trial software, but not for e-commerce or online banking.
Well spotted, sir. YADIS is a back-of-the-envelope solution to a toy problem. It is not, and we don't think it ever can be, a replacement for serious two-factor authentication. We're not convinced that it's an adequate replacement for one-factor authentication where a breach security is liable to be more than embarrassing. And, like every integrated sign-in ever made, it introduces a single point of failure where one does not need to exist.
In the small space available to him, Mr. Anderson doesn't consider whether YADIS is sufficiently reliable to meet EU rules. Two years ago, my suspicion was that it may not, and we don't see evidence that the system architecture has changed substantially since then. It is entirely possible that there's an intricacy somewhere in the laws that we're missing, and this is a thoroughly esoteric stick by which to thrash the system.
We do not trust YADIS for anything involving money, for reasons well explained by Tim Anderson. We do not trust YADIS to validate our reputation, because it is the brainchild of a man who does not understand the concept of integrity. We would consider using YADIS to validate our identity in an environment where it didn't much matter if we were who we claimed we were, but using an identity validator to validate untrustworthy identities strikes us as a monumentally illogical step.
In practice, we do not use YADIS for one very simple reason - the opportunity has not presented itself. Outside of Six Apart's empire of money-making scams, we've simply never seen a YADIS logon. That, we suggest, is the flaw that breaks the camel's back.
