What might solve OpenID's security problems
The problem I have with OpenID is how anyone can put up a form that looks like yahoo/google's form and direct users there and steel the passwords. This affects me as a user (though I can be careful about it), but it affects OpenID providers. What can be done to prevent this? Other than educating the users to look at the URL and all this. I mea开发者_JAVA百科n a technical way to prevent this.
This problem is called Trusted Path and there are few good solutions to it. Ka-Ping Yee's thesis, linked in that wikipedia article includes a good treatment of it though.
That essentially boils down to a phishing attack. This isn't something that can easily be prevented from a technical point of view, unless there's mutual agreements between all authentication partys involved. Some banks now show an image that the user selected. In effect, the bank is trying to prove that they are that actual bank (because they know what image you chose during registration) and the user is providing the bank with a password to show that they are authorized to access the account.
One idea I've always liked (not only because it's my idea), is that you can solve this problem by never allowing the user to have their own password. The strategy would be that, to log in, the user visits the website they want to log in to, and requests an authentication token. The token is then emailed to them, valid for a little bit, and they just click the link to log in.
The obvious problems to this, approach, though, are that: Your email can't do it. So, it's shifting the problem slightly. But, if you authenticate with your email provider, or whoever, via the client-side certificate approach: http://en.wikipedia.org/wiki/Mutual_authentication, and give some other things a bit of thought (i.e. ensuring transmission of the details of the login link aren't intercepted, etc), it's at the very least "interesting" to think about.
But, in general, the way to solve your problem is: authenticate both sides of the transaction; i.e. ensure that the website you are talking to is the one you want, before sending it anything you care about.
I'm not into the openID authentication protocol but SSL (is the way to go, it) makes the website trustable and the browsers should really start to have like lists of websites like google, yahoo, youtube, facebook etc that use that technology and refuse to open the website without getting the proper certificate first.
Thats a solution that goes a little bit beyond the scope of your problem but also solves it. Because think about this... if StackOverflow starts using SSL why the browser should allow connections to it without getting a proper certificate first? Make sense right?
One single technology, all the problems solved.
精彩评论