lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 23 Mar 2008 17:33:41 -0500
From: reepex <reepex@...il.com>
To: "Petko D. Petkov" <pdp.gnucitizen@...glemail.com>, 
	full-disclosure@...ts.grok.org.uk
Subject: Re: OpenID. The future of authentication on the
	web?

thats right pdp  - go run to your protected lists and blogs where you don't
have to hear anything negative and where you can flame people without
contest who talk against you.

you are another Bill O Reilly and everyone thinks of you as such. enjoy your
sheep.


On Sun, Mar 23, 2008 at 9:52 AM, Petko D. Petkov <
pdp.gnucitizen@...glemail.com> wrote:

> Hi Steven,
>
> I guess most 1337 hax0rs will flame you on this list. There are good
> security blogs you can follow and learn from instead. Full-disclosure
> is for rants and bashing only!
>
> I can point you to some articles that I wrote regarding OpenID,
> however, let me share my thoughts quickly as that will save you some
> time and of course if you are still curious you can go research
> further.
>
> First of all, OpenID is a very simple but rather useful technology.
> With OpenID you have only one account, your ID, which you can use
> everywhere where the OpenID technology is supported. It is not clear
> whether this setup is more secure from what we have at the moment
> (every site forces you to register unique username/password pair) but
> it is definitely more convenient. The first argument "for" OpenID is
> that the more you share your secrets, credits card information,
> usernames, password, the higher the chances this information to be
> leaked or stolen. On the other hand, OpenID is prone to phishing
> attacks so user education is required.
>
> Think about OpenID as the equivalent of PayPal for authentication. In
> theory, it is more secure to pay through paypal as you are not sharing
> your credit card information with everyone else but a single provider.
>
> I am all "for" OpenID as you can spend good time on securing a single
> system. If the OpenID provider is not vulnerable to common Web attacks
> and it provides good privacy mechanisms such as SSL and the top of
> which are build good authentication features such as one-time tokens,
> etc.... then OpenID is the preferable choice. Keep in mind though,
> that if your OpenID account is hacked, the attacker will be able to
> login as you anywhere they want. This is the main concern and
> disadvantage.
>
> pdp
>
> P.S. dear list, the only reason I am not priv-massaging Steven is
> because I believe that there are other people who are interested in
> this topic. So, instead of wasting valuable resources and energy
> answering everyone individually, I've decided to do it once hoping
> that this message will be seen by others. Thanks!
>
> On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick <stevenrakick@...oo.com>
> wrote:
> > Hello list,
> >
> >  I'm curious what the group thinks about the recent
> >  surge in support for OpenID across the web and the
> >  impact it will have.
> >
> >  1) Beemba - http://www.beemba.com
> >  2) ClaimID - http://www.claimid.com
> >  3) MyOpenID - http://www.myopenid.com
> >  4) Many others...
> >
> >  These sites are gaining in popularity quickly and with
> >  the announcements of support from big players Yahoo,
> >  AOL, Microsoft and Google, combined with smaller
> >  web2.0 celeb-run sites like Digg, OpenID appears to
> >  what will eventually be the norm.
> >
> >  Thoughts?
> >
> >  I've also noticed that many of these sites are
> >  bundling Information Card support (CardSpace on
> >  Windows). Sounds like a good idea as it compliments
> >  OpenID and helps address some weaknesses.
> >
> >  Again, any thoughts?
> >
> >  I'm really just interested in a dialog.
> >
> >  -sr
> >
> >
> >
> ____________________________________________________________________________________
> >  Never miss a thing.  Make Yahoo your home page.
> >  http://www.yahoo.com/r/hs
> >
> >  _______________________________________________
> >  Full-Disclosure - We believe in it.
> >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
>
> Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters
>
> gnucitizen.org | hakiri.org | spinhunters.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ