开发者

Are OpenID Identity URLs sensitive information?

Are OpenID Identity URLs considered sensitive information? For example, is it safe to store plain text OpenID Identity URLs in a DB or what开发者_如何学Cnot?

I can't think of any reason that you shouldn't... but damn am I good at being wrong sometimes!


In my opinion, it should be considered secret. It's safe to store in DB's as plain text, but I wouldn't go around displaying people's OpenID's for anyone to view. There are numerous reasons, some being:

  • It's not neccessary
  • It (combined with the password) is the key to a lot of doors; thus it looks quite juicy to an attacker
  • On individual websites you can customise your identity; if the OpenID is public on each of these, it would be possible to gather information about somebody who has tried to maintain independance on various sites

It's not critical that it remains private, however, hence the extra effort to hash (and salt/etc) it is not really neccessary. It just creates another place to maintain a bit of complexity, and an area that could go wrong. That said, if I saw it done, I wouldn't really be upset about it.

Certainly, I think it is wrong to consider an OpenID as a public bit of information.


The OpenID is, basically, the User Name portion of a login. You don't need to treat it with any more security that you would any other UserID.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜