Critical reflections on OpenID technology.
I want to share thoughts about the growing popularity of OpenID technology.
If you do not know what it is, there is a column on the technology describing the principles of technology.
Let's start with the situation around the storage of user data that exists now.
')
You have passwords from mail, from a forum, from a habr, from LJ.
Storage options:
1. You remember all your passwords.
2. You write your passwords to a file.
3. You trust your passwords to the program, the “password manager”.
The first option is perfect, no problem. You trust only yourself.
The second option - you trust passwords to your computer.
The third option is that you trust your third-party specialized program with your passwords.
This automatically means that you also trust the developer of the program.
In the case of (1) and (2) - the unauthorized use of your passwords is exclusively your fault. Data can disappear only from your computer.
In the case of (3), the possible fault of the program developer is also added to your fault. Passwords can "leave" and with the help of his program.
We remember that in addition to the passwords on the user side, there are passwords (or derivatives of them) and on the side of the service that he uses.
Services have different authentication systems.
For services, there are various vulnerabilities that allow access to your mail, account in a diary, and so on.
But there are no universal vulnerabilities that allow access to all your accounts at once.
What does OpenID technology offer?
In fact, after registering with the OpenID server, you have one master password suitable for all the services you use.
There is a single standard protocol through which services are exchanged with the OpenID identification server. Unified authentication system - on the OpenID server.
The identity server knows absolutely all the services on which you use this OpenID.
The identity server knows your master password.
Services trust this OpenID server.
Absolutely everyone knows which OpenID server you are using.
It turns out that you need to keep only the master password safe (and preferably not on the computer).
You can not worry - in the case of hacking (theft) of the computer, attackers will not get access to the services on which you are registered.
In which case you will not be guilty, but the identification server.
But will it make you any easier? What can you demand from him?
When using OpenID, you need to try not to think about the fact that there are no invulnerable protocols, services and servers.
You just need to believe the opposite.
The idea behind this technology is definitely a good idea.
But when an idea becomes technology, it has its own field of application, its pros and cons.
The question is how much the pros outweigh the cons in order to make technology standard-forming and / or universal.
And what happens this time - we will soon find out.
If you do not know what it is, there is a column on the technology describing the principles of technology.
Let's start with the situation around the storage of user data that exists now.
')
You have passwords from mail, from a forum, from a habr, from LJ.
Storage options:
1. You remember all your passwords.
2. You write your passwords to a file.
3. You trust your passwords to the program, the “password manager”.
Important point:
You do not need to trust the names (URL) of the services to the manager.
No one knows that you are using a password manager.
No one knows which password manager you use.
The first option is perfect, no problem. You trust only yourself.
The second option - you trust passwords to your computer.
The third option is that you trust your third-party specialized program with your passwords.
This automatically means that you also trust the developer of the program.
In the case of (1) and (2) - the unauthorized use of your passwords is exclusively your fault. Data can disappear only from your computer.
In the case of (3), the possible fault of the program developer is also added to your fault. Passwords can "leave" and with the help of his program.
We remember that in addition to the passwords on the user side, there are passwords (or derivatives of them) and on the side of the service that he uses.
Services have different authentication systems.
For services, there are various vulnerabilities that allow access to your mail, account in a diary, and so on.
But there are no universal vulnerabilities that allow access to all your accounts at once.
What does OpenID technology offer?
In fact, after registering with the OpenID server, you have one master password suitable for all the services you use.
There is a single standard protocol through which services are exchanged with the OpenID identification server. Unified authentication system - on the OpenID server.
The identity server knows absolutely all the services on which you use this OpenID.
The identity server knows your master password.
Services trust this OpenID server.
Absolutely everyone knows which OpenID server you are using.
It turns out that you need to keep only the master password safe (and preferably not on the computer).
You can not worry - in the case of hacking (theft) of the computer, attackers will not get access to the services on which you are registered.
In which case you will not be guilty, but the identification server.
But will it make you any easier? What can you demand from him?
When using OpenID, you need to try not to think about the fact that there are no invulnerable protocols, services and servers.
You just need to believe the opposite.
The idea behind this technology is definitely a good idea.
But when an idea becomes technology, it has its own field of application, its pros and cons.
The question is how much the pros outweigh the cons in order to make technology standard-forming and / or universal.
And what happens this time - we will soon find out.
Source: https://habr.com/ru/post/3901/
All Articles