Security Quest #4: OpenID and Weekly Update

Back in Security Quest #2 I talked about the PayPal Security Key. The PayPal Security Key can also be registered and used with OpenID through Verisign’s Personal Identity Provider (PIP) program.

OpenID is a URL that serves as an ID to establish your identity although it doesn’t establish trust. OpenID is still in it’s infancy and there’s not a lot of sites I use (read that as none – at least that promote it) that use OpenID. Still, it’s interesting to think about where OpenID fits into the authentication scheme.

Some of the benefits of OpenID:

  1. Can easily maintain multiple online personas (IDs). For example, one for forums, one for blogs you author, etc…
  2. Makes online IDs easier to manage
  3. Can be more secure if properly managed. You can have multiple OpenIDs for different levels of security. It’s also easier to change one OpenID password regularly instead of multiple online accounts.
  4. It’s decentralized with multiple providers.

There are some potential drawbacks:

  1. OpenID uses the web browser so it’s only as secure as your browser and your surfing habits. OpenID is based upon redirection so there’s the risk of phishing and redirecting you to a bad site. You just need to be aware of your URLs and be sure they’re using https. Verisign has also put out a Firefox add-in called Seatbelt which helps to manage and protect OpenID. Still, by it’s nature, the loss of a single OpenID password would allow access to multiple accounts.
  2. OpenID is a potential privacy concern. Your OpenID provider knows what sites you visit and use. But so does Google and Yahoo.
  3. OpenID is still confusing and support is limited. A number of 5,000 sites is tossed about. But a look at the OpenID page makes it apparent a typical user isn’t going to wade through all that.

OpenID’s place in my world

OpenID supports delegation so I can use my website as an OpenID (which is just a URL). So my first step will be to enable my site to do this. This makes it easier to change OpenID providers if I want to. It’s also a much shorter URL than Verisign provides.

I’ll start looking for OpenID support at various sites I used. I’m not going to use it for any sites I really want to be secure (online banking and similar sites). I already use unique IDs and passwords for them. But I’ll start using it for other sites when it’s available.

Additional Info

There’s a 50 minute video of Simon Willison’s OpenID presentation at Google about open ID available on Google Video.

Vulnerabilities

There was news of a vulnerability in GMail although the hole has now been plugged. Check your filters if you use Gmail.

Security Software

Spyware Terminator (freeware) has been updated to version 2.0.1.224.

Lavasoft Ad-Aware (freeware) has been updated to version 7.0.2.3.

News & Information

Tech.Blorge about Carnegie Mellon University developing a game to teach Anti-Phishing to web users.

TUAW brings some links with information about running a Mac on an untrusted network.

There’s a company out there that’s asking ISP to provide click-stream and personal (like location) data so they can target ads to you. AlarmClock has the details along with TechDirt.

Spammer collecting e-mail addresses or file conversion service? Their current privacy policy would mean it really is a file conversion service. But would spammers lie? Here’s the link.