NYCPHP Meetup

NYPHP.org

[nycphp-talk] OpenID is what?

csnyder chsnyder at gmail.com
Thu Oct 30 09:35:18 EDT 2008


On Wed, Oct 29, 2008 at 10:15 PM,  <mikesz at qualityadvantages.com> wrote:

> All of my websites run php forum and CMS software of varying flavors
> so I am not convinced that OpenID is a viable solution to secure them
> against the kinds of attacks I have see recently

OpenID is a means of authentication using a trusted third party. Its
main benefit is to make it easy for users to register for and consume
services at many different sites, without having to use different
passwords at each one. A secondary benefit is that users don't need to
trust the authentication mechanisms of each site they log into, they
only need to trust their OpenID provider.

OpenID is not going to do much of anything to make your sites more
secure, unless your accounts were hijacked because the authentication
process was inherently insecure (it took place over http, or passwords
were stored as plain text, or it is easy to brute-force the login
script).

OpenID doesn't do anything about cross-site-scripting, sql injection,
insecure file uploads, or any of the 999 other ways that clever bad
guys attack poorly written webapps.


Chris Snyder
http://chxor.chxo.com/



More information about the talk mailing list