On Sun, Mar 22, 2009 at 05:39:53PM +0100, Kai Blin wrote:
On Sunday 22 March 2009 17:29:33 Igor Tarasov wrote:
Maybe add openid support and let users connect existing accouts to one openid?
We decided to go for a secure system, if at all. OpenID was discussed and quickly dropped at the last WineConf.
Google for "openid security issues" to see what I'm talking about.
I read a bit about OpenID security issues and from that it seems that OpenID is more secure than what we currently use if the Relying Party ( the website that wants to authenticate a user, i.e. winehq.org ) and the OpenID Provider get their implementation right (i.e. I have not found any security bug in the spec itself). The downside is that there is one more party that can be compromised, the upside is that this party is usually the hardest to compromise and that it ensures that some attacks don't work on the other two parties (that previously worked).
I may be wrong, so please correct me.
Does anyone know of a possible attack against an OpenID enabled winehq.org that would not in principle be possible against our current login system? ( i.e. CSRF or XSS against an OpenID Provider is a possibility, but it is also a possibility against winehq.org with our current login system, so it doesn't count; anything that needs sniffing of the communication from/to the user or OpenID provider doesn't count as our current login system is not protected against that, same with Phishing )?
Jan