Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AOL Now Supports OpenID

Zonk posted more than 7 years ago | from the making-progress dept.

America Online 163

Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."

cancel ×

163 comments

So?? (-1, Troll)

zoomshorts (137587) | more than 7 years ago | (#18062572)

So? Who cares??

Re:So?? (3, Insightful)

MisterCookie (991581) | more than 7 years ago | (#18062582)

People who don't want to manage 5000+ usernames.

Re:So?? (1)

GoldenPhi (1033178) | more than 7 years ago | (#18062622)

The people who don't want to manage 5000+ usernames just use an universal password. Universal passwords are useful, if your friend just told you their password by mistake. Then you'd have acess to their entire life, g-mail and all.

Re:So?? (1)

Tony Hoyle (11698) | more than 7 years ago | (#18063066)

So? If someone tells you their openid (or you setup a spoof website to get it) then you have access to their entire life too, if this becomes popular. There is *no* difference.

The only 'universal' IDs that aren't open to such an attacks are things like biometrics and one time pads.

This is the whole point (4, Informative)

mrcaseyj (902945) | more than 7 years ago | (#18063636)

So? If someone tells you their openid (or you setup a spoof website to get it) then you have access to their entire life too, if this becomes popular.


It seems OpenID prevents this problem. With OpenID the only thing you give to the websites you login to is your URL (such as https://aol.com/cooldude [aol.com] ). You can even give your URL to your enemies. You never give your OpenID password to any site except AOL, or if you run your own OpenID server, you never give your password to anyone at all. If I understand it right the whole encrypted procedure goes something like this:


You're trying to login to example.com


Example.com says: Who are you?
You say: I'm "https://aol.com/cooldude"
Example.com asks AOL: Is this guy really cooldude?
AOL sends a message to you asking: Example.com says you're trying to log on, is it really you?
You say to AOL: Yea it's me, here's my password to prove it.(AOL doesn't tell example.com your password. Also you save the hassle of entering your password for any site if you already logged in to AOL, like at the beginning of each day.)
AOL says to Example.com: Yes we verified it's cooldude.
Example.com says to you: Hi cooldude from aol.com, we've verified it's you again. Welcome.


Note that if you log into AOL at the beginning of the day, then for you this whole procedure boils down to you just entering your URL to login and then pressing a button from AOL to authorize the login.


Some advantages and disadvantages are:


You can use one username and password for every site and you only have to enter your password once a day.


If you used the same username and password at a lot of sites before, then with OpenID you don't have to worry about your password being compromised on one site by lax security or a crooked site owner(like a phisher) and then having your accounts compromised at all the other sites.


I'm not sure about the privacy issues. If your OpenID provider allows it(or if you set up your own server) you could set up an unlimited number of ID's (eg cooldude2, cooldude3, etc.) I don't see how you would be giving up any more privacy than any other system. And if your provider allows it you could save a lot of trouble and use the same password for all your IDs. Your OpenID provider could track which sites you log into, but you could just be your own provider or choose one you trust not to track you. Of course the sites you log into could require only certain OpenID providers like AOL, Microsoft, Verisign, etc. You might not be able to use your own server. Sites might only accept OpenIDs from providers that use strong identification, like Paypal's requirement that you control a checking account to be confirmed, because banks in the US are required by law to get ID before opening a checking account(says Paypal).

If sites only recognize OpenIDs from certain providers, at least the list of providers would likely be more inclusive than something like Microsoft Passport which has only one provider.

OpenID providers might differentiate themselves on their security. Verisign for example may try to claim that their OpenID service (if they had it) is secure enough to use for bank logins.

Re:So?? (1)

crazed gremlin (978591) | more than 7 years ago | (#18063146)

but you're that person's friend, so you wouldn't steal their identity...would you?

Re:So?? (0)

Anonymous Coward | more than 7 years ago | (#18063250)

Isn't that the purpose of GATOR?

But they don't have to and never did (1)

electrosoccertux (874415) | more than 7 years ago | (#18063602)

All you have to do is pick a unique enough username that nobody else has come up with it yet. Just make it related to something you like and it's very simple. Take mine for example
electro: electronic music
soccer: sport
tux: mascot of Linux

I've never had a problem getting this username registered anywhere.

The same goes with your password. Just cook up a sufficently secure password that is at least 12 characters long and then use it everywhere. Since you're going to be typing it in a lot, make sure it's easy to type.

Re:So?? (3, Insightful)

memojuez (910304) | more than 7 years ago | (#18062628)

It's a last ditch effort by AOL to stay relevant to the rest of the InterWebs.

redundant acronym syndrome RAS (5, Funny)

evilbessie (873633) | more than 7 years ago | (#18062576)

I'll have a personal Identification PIN number please, what the hell is an OpenID identifier if not an OpenID ID?

Re:redundant acronym syndrome RAS (-1)

Anonymous Coward | more than 7 years ago | (#18062704)

Its like a Bank of American bank account.

Re:redundant acronym syndrome RAS (2, Funny)

Anonymous Coward | more than 7 years ago | (#18062842)

I don't see what your problem is with "personal identification PIN number"; I use mine every time I go withdraw money from the automated teller ATM machine.

Re:redundant acronym syndrome RAS (0)

Anonymous Coward | more than 7 years ago | (#18062860)

I don't see what your problem is with "personal identification PIN number"; I use mine every time I go withdraw money from the automated teller ATM machine.

So you withdraw money from the automated teller automated teller machine machine?

Re: Re:redundant post (1)

RmB303 (623042) | more than 7 years ago | (#18062936)

Wooosh!!

RAS syndrome and U.S. trademark law (4, Informative)

tepples (727027) | more than 7 years ago | (#18063196)

The joke is often repeated. But U.S. trademark law may help explain RAS syndrome. Trademarks are adjectives and should be used with a generic term, even if they contain an abbreviation of the generic term. Hence "TCBY yogurt" even though "TCBY" is "the country's best yogurt", "DC comics" even though "DC" was "detective comics", "SAT reasoning test" even though "SAT" was "scholastic aptitude test", and "SPAM luncheon meat" even though "SPAM" stood for "specially processed assorted meat" at one time. Writers pressured by trademark owners to include the generic terms in their copy tend to overextend the habit of abbreviation + generic even to cases where the abbreviation is not a trademark.

Another cause is to disambiguate homophonic or homographic acronyms. "Put your PIN in the computer" could be misheard as "put your pin (or pen) in the computer", which could damage the machine. "Put your PIN number in the computer" has one interpretation.

Re:RAS syndrome and U.S. trademark law (3, Informative)

molotov303 (182638) | more than 7 years ago | (#18063480)

I'm pretty sure SPAM is SPiced hAM, not specially processed assorted meat.

http://en.wikipedia.org/wiki/Spam_(food) [wikipedia.org]

Re:RAS syndrome and U.S. trademark law (1)

oracle128 (899787) | more than 7 years ago | (#18063640)

"Put your PIN number in the computer" has one interpretation.
I wrote my pen number on the inside of my computer, and it still won't work!

Re:RAS syndrome and U.S. trademark law (0)

Anonymous Coward | more than 7 years ago | (#18063736)

Reduced Instruction Set Computer vs Complete Instruction Set Computer
RISC vs CISC

not

RISC computer vs CISC computer!!!

Re:redundant acronym syndrome RAS (2, Informative)

Vexo (825223) | more than 7 years ago | (#18063214)

Open Identification Identifier, the OpenID ID. It doesn't quite repeat itself.

Cool... (4, Funny)

Spyder_Snyper (1050456) | more than 7 years ago | (#18062584)

So the idea is pretty cool... Now that you've got an OpenID, you could go ahead and use that login on whatever else supports OpenID. The problem lies with the fact that 50% of AOL's userbase doesn't even own a computer. According to some stats that AOL released some time ago...

Re:Cool... (3, Insightful)

fyrewulff (702920) | more than 7 years ago | (#18062976)

When I worked at the library, a majority of the tweens and teens came in just to check/update their MySpace. they didn't even have a computer at home.

Why would we want OpenID? (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18062624)

Single sign-on across the internet is a bad idea. As more sites require it, people's web browsing habits will be tracked on an unprecedented scale. Seriously, what benefit does it provide? I certainly don't want to log onto my bank's website automatically. And in general, I don't want to reveal anything about my identity unless there is a very good reason to do so. The whole purpose of OpenID and similar technologies is to make it easier to track people. This is not the way I want the internet to develop.

Re:Why would we want OpenID? (1)

ukatoton (999756) | more than 7 years ago | (#18062662)

Mod parent up (it's at least an interesting point).

Whereas openID is not explicitly designed for tracking people, it will no doubt make it a lot easier. One ID across many sites will make it easier for someone's entire online persona to be hijacked and/or tracked. As I don't know any specifics of OpenID's security, I'll leave this at that, but for me at least it would be a concern.

Re:Why would we want OpenID? (3, Funny)

networkBoy (774728) | more than 7 years ago | (#18062884)

It's a non-issue.
From TFS:

The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology
good luck with that one...
Brings back thoughts of eternal september
-nB

Re:Why would we want OpenID? (1)

maxume (22995) | more than 7 years ago | (#18062708)

Some people might not care about what direction you want the internet to develop. The ability to carry around identity, and therefore reputation, is more important to them than the agony of other people knowing what they wrote in two different places.

The good news is that there will invariably be providers that allow the creation of multiple ids, so all you have to do to have multiple sign ins all over the place is create them. The difference is that people that don't like care can go ahead and enjoy the convenience.

And yes, if your bank uses it for authentication, fire them.

Re:Why would we want OpenID? (1, Informative)

Anonymous Coward | more than 7 years ago | (#18062752)

Due to the way OpenID works, only your OpenID provider may track where you sign on. And also due to the way OpenID works, you can also be your very own OpenID provider! (if you can register a dns domain, of course).

This means in fact only your computer will know where do you login on to, which is as secure as you want it to be.

Re:Why would we want OpenID? (2, Informative)

Wesley Felter (138342) | more than 7 years ago | (#18062816)

If you sign on to multiple sites with OpenID, they can compare their databases to correlate logins. For example, if you tell one site that your girlfriend's name is Marla and you tell another site that your hobby is making soap, then the sites can combine this information.

Re:Why would we want OpenID? (0)

Anonymous Coward | more than 7 years ago | (#18062910)

If you use the same username at multiple places the same thing could happen. Unless you are changing your username every site you visit, it's already happening. Educate yourself and get the fuck over it.

Re:Why would we want OpenID? (2, Informative)

Solra Bizna (716281) | more than 7 years ago | (#18063724)

Because two different people couldn't possibly use the same username at different locations, of course.

-:sigma.SB

Re:Why would we want OpenID? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18062972)

I don't consider myself to be a "privacy nut", but I find this ideal highly flawed. It is based on the idea that personal information should either be completely secret or completely public.

To continue your analogy, I wouldn't necessarily want to publish my girlfriend's name on the soap-making forums I frequent, even if I considered it silly to avoid mentioning it on, say, a friend's personal blog. As the internet is organized today, this is less of a problem because identities are not interlinked by default: unless I sign up under my full name on the soap-making forum, no one will ever know that "SoapFan2143" is the same person as "Joe Random". If things like OpenID become standard, our hypothetical shy soap-maker would either have to be "that guy who probably has something to hide because he didn't want to sign up with a real identity", or go to ridiculous lengths like making up fake names and identities just to maintain some privacy on a hobby forum.

It's perfectly understandable that people don't want sites to automatically combine various pieces of information about them. Many people who e.g. post in newsgroups already find it highly creepy what random stalkers can find out about them from simple googlings, they don't need an automatic system to stalk them as well.

Re:Why would we want OpenID? (0)

Anonymous Coward | more than 7 years ago | (#18063412)

How is this any different than websites that require you enter an email address when registering and require that you receive the email then send you with a confirmation link in it (a ton of sites out there)? Those sites can easily link up and join their databases on that address.

I don't see how OpenID would make this situation worse. It would just keep them from having to send you an email when you sign up. As others have noted, different providers could offer you the ability to create multiple aliases (possibly one per site that you sign up with) to prevent the linking you're talking about.

Re:Why would we want OpenID? (1)

Randle_Revar (229304) | more than 7 years ago | (#18063532)

It's perfectly understandable that people don't want sites to automatically combine various pieces of information about them. Many people who e.g. post in newsgroups already find it highly creepy what random stalkers can find out about them from simple googlings, they don't need an automatic system to stalk them as well.


An automatic system for stalking people? Isn't that what Google is? :-)

Re:Why would we want OpenID? (1)

lbft (950835) | more than 7 years ago | (#18063258)

What's to stop them doing this with your email address right now?

Or: how is this different from Passport (1, Interesting)

cheros (223479) | more than 7 years ago | (#18062788)

OK, other than NOT being MS driven and a bit more open, where is OpenID conceptually different from Passport? I may have missed something here but it's again single sign on which concentrates your online identity into a single point of failure.

So, it's more modern and has a little shiny "Open" sticker on the side, but the challenges are identical IMHO.

Re:Or: how is this different from Passport (5, Informative)

jZnat (793348) | more than 7 years ago | (#18062858)

Well, anyone can run their own OpenID server to authenticate against, but to use Passport, you rely upon Microsoft's passport.net servers no matter which email address you associate with it.

Re:Or: how is this different from Passport (1)

Tony Hoyle (11698) | more than 7 years ago | (#18063040)

Yup anyone can run the server... and that means the servers will be run as much by scammers as by normal people. Same problem. If you didn't trust Microsoft you sure as hell shouldn't be trusting any random website.

Re:Or: how is this different from Passport (1)

Randle_Revar (229304) | more than 7 years ago | (#18063560)

OpenID is an identity system, not a trust system. It identifies that I am me, not that you can trust me. *insert evil laugh*

Re:Or: how is this different from Passport (3, Informative)

maxume (22995) | more than 7 years ago | (#18063616)

No one is pushing it as a trust mechanism. It is being pushed as a unique identifier. The idea is that if you start up a zippy website where there are some additional features if I create an account, you can let me use an OpenID to identify myself, rather than having me create a user/pass just for your site. I provide a url, and your server does some stuff to find out if I own that url, and if I do, it can use that to identify me.

You don't end up with any more reason to trust me than if I had used a random hotmail email address, but I avoid creating another damn sign in just to get 'account' features on your service.

Re:Or: how is this different from Passport (2, Informative)

complete loony (663508) | more than 7 years ago | (#18062862)

But it doesn't have to run on some big evil corps servers. It's open in the sense that you can run your own server and track all of your own web surfing habits.

Re:Or: how is this different from Passport (1)

sholden (12227) | more than 7 years ago | (#18062902)

Because you can run your own OpenID provider.

People want single sign on because it's an easier option than remembering 47 unique and secure username:password pairs, and much more secure than sharing usernames/passwords for multiple accounts.

Re:Or: how is this different from Passport (1)

jthill (303417) | more than 7 years ago | (#18063396)

Nope. Look at this from the individual's perspective, and from the server's perspective:

From the individual's point of view, you can casually create digital identities: no server has anything to correlate with that you don't want to give them, because making a digital identity is easy. Your privacy is as secure as you want to keep it.

From the server's point of view: you can demand any criteria you like. No doubt there will be OpenID servers that support financial transactions by guaranteeing all digital identities can be legally bound to a financial one. But again: creating digital identities is cheap. There's no reason even a legally-traceable-OpenID server couldn't issue one-off digital identities essentially free.

So the difference is that it *isn't* a single sign-on. The server doesn't contact passport.net, the server contacts whoever you tell it to. If the server has a OpenID-server whitelist whose sole entry is "OpenPassport.net", that's its business. No doubt lots of leeches will set their servers up exactly that way, and lots of bloodbags will willingly patronize those businesses. But it's still a free country here. They can do what they want.

Re:Why would we want OpenID? (1)

Grinin (1050028) | more than 7 years ago | (#18062810)

I think the concept is a good one. Less username/password combinations to remember and the ease of not having to create/activate accounts on every new site you visit.

You mention tracking people. Well, I'm not sure if you noticed this or not, but most web-sites already track you and any web site that is using Google Analytics, is tracking you in even more detail. Thus, regardless of ID's, the more web sites you frequent with applications like google analytics and other surf data aggregators, the more detailed maps they can draw of you and your surfing patterns. IF you don't like it... you could always use Tor, or proxies, but ultimately, you'll be tracked whether you like it or not in one way or another.

Re:Why would we want OpenID? (1)

Frogbert (589961) | more than 7 years ago | (#18062868)

Here is a big benefit. A single unified login will obsolete sites like bugmenot.com overnight. And I'm sure the owners of that site would be happy to see it go.

Re:Why would we want OpenID? (1)

thrillseeker (518224) | more than 7 years ago | (#18063172)

A single unified login will obsolete sites like bugmenot.com

And what's to prevent the sharing of various openid logins with anyone and everyone? Nada ... so in effect it doesn't provide uniqueness. It only proves that whomever just used that login knew the proper associated password.

Re:Why would we want OpenID? (2, Informative)

EchoD (1031614) | more than 7 years ago | (#18062890)

From what little research I have done, it's possible to host your own OpenID server.

[...] your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider). [...] From http://openid.net/ [openid.net]
Which means the centralized database of your browsing habits would be on your own server. With browser history, this already exists. Sure, OpenID may not be suitable for online banking, but it would sure make things easier when it comes to making one or two posts on a forum you're rarely going to visit.

Re:Why would we want OpenID? (1)

maxume (22995) | more than 7 years ago | (#18063664)

For other users of a website to believe that content was posted by the owner of a given id(one handy use of openID), the id has to be associated with that content. A crawler can aggregate that info across websites.

Re:Why would we want OpenID? (1)

MarkRose (820682) | more than 7 years ago | (#18062996)

For pepole who post pictures, it's a great way to prove that they're the same individual that posted pictures elsewhere, and not some faker pretending to be them. This is a very common problem between yahoo, livejournal, myspace, facebook, and other networking sites.

Re:Why would we want OpenID? (5, Insightful)

jalefkowit (101585) | more than 7 years ago | (#18063018)

Your knee is jerking. You're reacting to the centralized authentication systems like MS Passport that we've seen in the past, which would indeed make it easier to track people. OpenID is fundamentally different in that there is no one centralized identity provider. You can use AOL as your OpenID provider, or another provider, or even set up your own OpenID server on your own hardware and use that if you can't find one you can trust -- hard to think of a scenario that would be more tracking-proof than that. Read more about OpenID [openid.net] , it's not what you think it is.

Re: Why would we want OpenID? (4, Interesting)

Dolda2000 (759023) | more than 7 years ago | (#18063370)

The tracking doesn't primarily depend on the authentication server's ability to log whenever you authenticate, but rather that having single sign-on drastically increases your tendency to reuse the same identity on every website you log into. In other words, cross-site tracking be done much more reliably than before.

Of course, many here on Slashdot could probably set up their own OpenID server that has a unique identifier for each site, but how many do you think {are going to/are able to} do that -- especially among AOL users?

Re: Why would we want OpenID? (1)

jalefkowit (101585) | more than 7 years ago | (#18063774)

Of course, many here on Slashdot could probably set up their own OpenID server that has a unique identifier for each site, but how many do you think {are going to/are able to} do that -- especially among AOL users?

So set up your own OpenID server, and offer it free to AOL users who aren't savvy enough to do it themselves. Explain to them why they should trust you more than they trust AOL. If they want to they could use your server just as easily as they use AOL's.

OpenID makes identity portable, which is a Good Thing as it means identity vendors will have to compete on the basis of trust rather than what they do now -- compete on the basis of exclusive access to their walled gardens.

Re:Why would we want OpenID? (0)

Anonymous Coward | more than 7 years ago | (#18063622)

hard to think of a scenario that would be more tracking-proof than that.

How about no system at all?

set up your own OpenID server on your own hardware

If you run your own server, the DNS name becomes the unique identifier.

CAPTCHA word: insecure

Re:Why would we want OpenID? (1)

mdwh2 (535323) | more than 7 years ago | (#18063074)

A single email across the Internet is a bad idea. It's much better to have to sign up to a new email account for every server where you want to contact someone. With a single email account, they can track everyone that you are emailing.

Well, I wouldn't use OpenID for my online banking, but that's taking it to extreme. This is useful for various forum and blogs sites like LiveJournal and Slashdot. I guess since you're posting anonymously, even that bothers you, but the rest of us aren't quite that paranoid.

The situation is analogous to email and IM systems. Commenting on forums, along with IM systems for the most part, is like a system where you need to sign up for a new email account just because the other person is on a different server. For those of us who don't like living in the bad old days on the Internet, things like Jabber and OpenID try to solve this. No one seems to complain about the privacy issues when it comes to email or Jabber.

Re:Why would we want OpenID? (1)

natrius (642724) | more than 7 years ago | (#18063302)

Most people already use the same email address everywhere they sign up for accounts. OpenID doesn't exacerbate that problem. If you don't want websites to be able to compare login data, get multiple OpenIDs, just like you presumably have multiple email addresses.

There are very few websites I go to where I actually care that much about privacy, such as my bank, and anywhere I purchase things. If all the other sites adopted OpenID, my life would be a little easier.

Re:Why would we want OpenID? (1)

pkulak (815640) | more than 7 years ago | (#18063378)

Well, if you're a mess over privacy, just create a new OpenID for every site. It will take you just as long as registering all over again each time and you'll have a new login and password to remember for every site, just how you like it. Another idea is to create one OpenID for non-trustworthy sites, and one for the rest. OpenID doesn't take away anything you have now, it just gives you more options if you want them.

Re:Why would we want OpenID? (1)

Kijori (897770) | more than 7 years ago | (#18063384)

Single sign-on across the internet is a bad idea. As more sites require it, people's web browsing habits will be tracked on an unprecedented scale. Seriously, what benefit does it provide?

This isn't aimed at e-commerce sites, it's aimed at blogs. And it doesn't associate your browsing habits with a person, it associates them with a webpage. What it allows for is authentication and attribution of comments, articles and the like so that you know that you're talking to the same person throughout an exchange, wherever that takes place. Your bank isn't interested in knowing whether you really own fred13.blogsite.com, only in whether you're the owner of the account, so they won't be interested in this. Finally, you don't have to reveal anything about your identity that you don't want to, since you control the backend, and they make it clear that this would be provided as an alternative to, not a replacement of, traditional logins.

Who owns this? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18062646)

Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal [as we see it] licenses possible, so there's no money or licensing or registering required to play [we mean to restrict it with patents and/or future incompatible license].


Should, would, could... suckers wanted! When you release it, I'll see if the license satisfies my requirements and not some "most liberal" bullsh*t buzzwords, and make a decision then.

Until then, see if you can find enough of [AOL] suckers to push this OpenAsWeSeeItId for you for free, I'll not be one of them.

Re:Who owns this? (1)

Randle_Revar (229304) | more than 7 years ago | (#18063268)

AOL did not develop the OpenID 1.x spec and they are not developing the OpenID 2.0 spec.

OpenID was originally developed by Brad Fitzpatrick of LiveJournal, and now it is being developed with an open process, involving many open source hackers and tech companies. Anyone is free to implement the specs.

There are already OpenID libraries for Python, PHP, Perl and .NET that are under the LGPL. The Ruby library is under the Apache license. Many open source projects (Apache, MoinMoin, MediaWiki, Drupal, Plone, etc.) have implemented OpenID or are working on it.

re: (0, Troll)

Kynmore (861364) | more than 7 years ago | (#18062666)

Can't teach an (A)OLd dog new tricks.

Except for the sub 10% of AOL users who know what they are doing, most of them will be confused and confounded by just even the idea of OpenID, let alone how to use it.

Trust me, I worked with these people for almost 3 years. You know there's little hope when you tell them to unplug just the power to their DSL modem, and explaining which one the power cable is, but they unplug the phone line anyways.

AOL needs to go down, so their users can learn for themselves.

Re: (1)

maxume (22995) | more than 7 years ago | (#18062734)

What was so broken that they needed to be unplugging the power to their DSL modem?

Re: (1)

Lehk228 (705449) | more than 7 years ago | (#18063714)

broadband modems sometimes crash when they are either defective or damaged by the user, power cycling them can help sometimes

OpenID vs OpenPrivacy? (1)

alexandre (53) | more than 7 years ago | (#18062678)

Has anyone got any precise insight on the difference between OpenPrivacy [openprivacy.org] and OpenID [openid.net] goals? :)

Re:OpenID vs OpenPrivacy? (1)

funpet (836434) | more than 7 years ago | (#18063354)

OpenPrivacy is designed to allow marketers to access information about you, while OpenID is a distributed single sign-in system.
RTF websites.

Re:OpenID vs OpenPrivacy? (4, Insightful)

Broadcatch (100226) | more than 7 years ago | (#18063426)

"OpenID is a simple single sign-on mechanism advanced by Brad Fitzpatrick of LiveJournal. In OpenID, your identity is a URL." - http://en.wikipedia.org/wiki/OpenID [wikipedia.org]

Basically, OpenID provides for distributed authentication.

IMO, what makes OpenID interesting is that in the 2.0 protocol, XRI (i-names) have been included, which opens the door to enabling selective, authenticated authorization of access to services, be it as simple as the ability to contact me (I would allow any parent of a child in my kid's pre-school class to phone me) or as complicated (eventually) as any contract you can imagine.

OpenPrivacy, on the other hand, assumes such services as a starting point, which is why I suspended development of OpenPrivacy in 2002 and began working on XRI/i-names. OpenPrivacy will use sophisticated techniques such as zero-knowledge proofs to enable distributed reputation providers and truly pseudonymous identities that cannot be traced to their owner (unless such verification is mutually requested), but it requires strong, secure identity as a starting point.

I look forward to creating grassroots i-names-enabled communities soon (starting in March, if all goes well) and eventually getting back to my OpenPrivacy roots - which is where (IMO) things start getting really interesting.

Re: OpenID vs OpenPrivacy? (1)

Dolda2000 (759023) | more than 7 years ago | (#18063494)

I hadn't heard of OpenPrivacy before, so I didn't know what it was. After having read around a bit on their site, though, I still can't say I do. It seems to be a much larger project than OpenID is. It seems indeed that they have some authentication stuff in their as well, but they seem to be doing lots and lots of other things as well.

OpenID, on the other hand, is simply authentication and nothing more. The idea is that you only need one OpenID account. Then, when you go to a website which requires logon for some or all features (and which also supports OpenID) like Slashdot or any phpBB site, instead of the normal process of creating a user account with a password, you simply enter your OpenID URL or XRL and you get to authenticate yourself with the OpenID server instead. Just one account, one password and, if the OpenID server supports it, single sign-on in the way that you only have to enter your password once, and then the OpenID server will remember your browser (per some cookie) and automatically authenticate it to any other site you visit subsequently.

It's really quite neat. See, anyone can run their own OpenID server, and since it is the OpenID server that takes care of the authentication, it means that you can get SSL client certificate or Kerberos authentication for any other site you visit. You can even invent your own entirely new authentication scheme and use it on any OpenID-supporting site, since the site itself is agnostic with regards to the authentication method.

Briefly, it works like this: 1) You visit a website and type in your OpenID URL. 2) The web server fetches the URL and gets the OpenID server info from it. 3) It redirects your browser to the OpenID server. 4) You authenticate with the OpenID server. 5) The OpenID server redirects your browser back to whence it came, with some cryptographic info constructed from the authentication. 6) The original web server contacts the OpenID server to verify the info passed to it by the browser. 7) You're logged in! The scheme has some additional, optionally supportable optimizations as well, to decrease the number of HTTP roundtrips.

The problem with single sign-on... (4, Insightful)

Phleg (523632) | more than 7 years ago | (#18062706)

One major problem I see with this sort of initiative is spoofing of your provider's sign-in page. Unlike spoofing in its current form, if someone was able to get the password for your OpenID provider, he'll have access to every single one of the accounts you've used that ID with. It's putting all your eggs in one basket -- with the way everything is currently handled, your sign-on information to an individual site may be compromised, but you won't lose everything else.

Is there a solution to this kind of problem, or is OpenID really only targeted to low-risk authentication; i.e., for forums and social networking sites?

Re:The problem with single sign-on... (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18062772)

spoof? Hell they won't need to spoof anything. AOL user will surf to a pr0n site, pr0n site will say "enter your openid to get 100% full free access!!111" or some such crap. AOL user will WILLINGLY give away their id to see pr0n.

Re:The problem with single sign-on... (1)

Breakfast Pants (323698) | more than 7 years ago | (#18062960)

Enter your openid? Enter a URL? How will that 'give away their id'?

Re:The problem with single sign-on... (1)

Tony Hoyle (11698) | more than 7 years ago | (#18063050)

duh. Because once someone has their openid they have the id for *all* their websites.

Re:The problem with single sign-on... (1)

Kijori (897770) | more than 7 years ago | (#18063314)

The openid is just the "username". It has to be authenticated before it can be used, and what that authentication involves is up to you, or whoever you delegate the running of your openid account to. You want it to ask for a 30-digit passphrase, 2 part authentication or biometrics? You can. This is only less secure than normal if you set up your backend system to be insecure.

Re:The problem with single sign-on... (1)

SanityInAnarchy (655584) | more than 7 years ago | (#18063310)

There is a solution: Authenticate your OpenID once, manually. You could even do it with a browser extension. Then, whatever they spoof, they won't be able to authenticate as you to anywhere else, only to the site you're trying to login to.

To put it in really simple terms, they'll get your username, but not your password.

By the way, we already have this problem. If someone steals your identity (social security number, etc), they can use that to gain access to most things you have, including your bank. The trick is to use single sign on to also reduce the number of places you can be compromised -- you can always pick an uber-secure OpenID provider, or roll your own.

And if you really want, you can use different IDs for different sites.

Re:The problem with single sign-on... (1)

Kijori (897770) | more than 7 years ago | (#18063454)

OpenID is as secure as you make it; you control the "backend" and you choose how much it's going to do to check it's you before it tells the website that it is. If you want convenience, it might always authenticate you if you're on your home IP, or if you've got a particular cookie. If you want security, it could ask for a username and password, or 2-factor authentication. You could require you to digitally sign a random piece of plaintext, supply biometric data and scan in 3 proofs of address, the security is limited only by your paranoia.

Of course, if you don't fancy making your own system, you'll have to use whatever livejournal/whatever makes available. The difference between this and the current system is that you can use one password for everything, without one rogue site being able to pinch it and log in wherever they want.

And to answer your question, OpenID is targeted at social networking/blogs/forums etc. Low risk sites in themselves, but if you use the same password everywhere currently they provide a chink in the armour of commercial sites. OpenID closes that chink.

It's phishing time! (4, Insightful)

smack.addict (116174) | more than 7 years ago | (#18062762)

OpenID is the phisher's dream. I honestly don't get what would motivate someone to implement this specification.

Re:It's phishing time! (3, Informative)

Broadcatch (100226) | more than 7 years ago | (#18063488)

multiple answers, but here are two:
  1. use OpenID to verify those you know (or their membership in a community you trust) - don't use it for "verification" of a service you know nothing about
  2. Microsoft's CardSpace (InfoCard) protocol can provide a simple mechanism to support this verification
Once the trust is created, then you can use the XRI capabilities of OpenID 2.0 to provide sophisticated profile data sharing and/or service access authorization. But you are correct: if you're the kind of person who sends money to spammers, OpenID alone will not help you.

Re: It's phishing time! (2, Interesting)

Dolda2000 (759023) | more than 7 years ago | (#18063568)

I'm not sure exactly what you're referring to, but I would argue it is the other way around. If you use OpenID to sign in to a spoofed site, you're safe, because they can't use that info to sign in to the real site themselves. If they're spoofing your OpenID server, then, to be honest, people would be fooled just as much or little as they would be without OpenID. On top of that, OpenID allows you to do neat things like SSL client certificate or Kerberos authentication or anything else that cannot be used by phishers any way. I would also think that some ISPs (like AOL) could use that to make client certificate authentication automatic for their users. That way, it may actually put an effective stop to phishing.

Christ. We're all doomed (1)

TheRealMindChild (743925) | more than 7 years ago | (#18062786)

The fact that you cant even get a nick like DirtyTurtle278346812376 because it is already taken, why the hell would it be a good thing for something like OpenID to be poluted by AOLs obnoxious user list?

Re:Christ. We're all doomed (1)

jZnat (793348) | more than 7 years ago | (#18062870)

Because you can use your own domain name behind the OpenID server you run. Even if you think that all the good domains are taken, remember that there are a ton of ccTLD's you can use (especially in countries that don't use the Latin alphabet).

Re:Christ. We're all doomed (4, Informative)

pelrun (25021) | more than 7 years ago | (#18062898)

AOL's openID's are all in AOL's namespace; DirtyTurtle278346812376.aol.com isn't going to prevent you having DirtyTurtle278346812376.myopenidserver.org.

Woot Woot (0, Troll)

nnila (1057870) | more than 7 years ago | (#18062888)

FINALLY!! Now it'll be sooo easy to hack peoples important accounts. You make a spoof page for something really irrelevant that no one cares about, they sign in without thinking twice because its not a site they are bothered about at all and BAM I suddenly can use that info to Login to their bank account where they would normally triple check the website address and where the bank has put 3000 security features. I LOVE it!! Come on OpenID - I've been trying to figure out what I'd do to retire ;)

Re:Woot Woot this you mong (0)

Anonymous Coward | more than 7 years ago | (#18063186)

Something tells me no matter how idiotic a bank is they would NEVER implement OpenID as the sole login requirement for internet banking. You'd just be asking for it on an immense scale. I hope you weren't going for a funny modifier because this just came across as ignorant.

aol needs to die (-1, Offtopic)

mike3 (1054482) | more than 7 years ago | (#18062950)

there is no way that aol will ever become a good company there is just to much garbage and bad feelings over them. I know I wouldn't touch them with a 10 foot poll!

This is a huge blow to privacy on the net... (1, Interesting)

gd23ka (324741) | more than 7 years ago | (#18063022)

Who else woke up this morning to smell the fascism?

While it sounds like a great idea in fact... it is not. On the pro
side people don't have to keep lists of their accounts and passwords
across many sites and sites have a standardized mechanism to rely on... ... the balance immediately tips over to the negative once infrastructure
like OpenID is established .. and then locked down and made mandatory.
Think what it could be like when sites only accept OpenID authentication
coming from certain sources like the provider your IP is originating
from? Take it one step further, think what it would be like to authenticate
with your OpenID URL to get onto the internet itself?

The idea sucks and I didn't even get started on how it allows the operator
of an OpenID authentication service to track which sites you go to.

Re:This is a huge blow to privacy on the net... (1)

chromatic (9471) | more than 7 years ago | (#18063090)

I didn't even get started on how it allows the operator of an OpenID authentication service to track which sites you go to.

I know! I merely have to look at the logs of my own OpenID server to see a list of sites I've visited! That's... horrible?

Lovely knees you have ... if anything. (1)

gd23ka (324741) | more than 7 years ago | (#18063342)

Thank you for your knee jerk reaction but I was talking about what's
around the corner once schemes like OpenID are widely adopted.

Re:Lovely knees you have ... if anything. (1)

jrockway (229604) | more than 7 years ago | (#18063394)

Do you even know what OpenID is? You should probably research that a little before you whine about it everywhere.

Re:Lovely knees you have ... if anything. (1)

gd23ka (324741) | more than 7 years ago | (#18063654)

Enjoy your DHS single signon identification for the internet. Fight Terror, protect the children,
live a miserable life and earn miles with each voluntary vaccination.

I was talking about where infrastructure like OpenID single signon can take us. You obviously
don't want to go there.

I am not going to work on this thread when it's modded down to 0.

Re:Lovely knees you have ... if anything. (2, Insightful)

Randle_Revar (229304) | more than 7 years ago | (#18063476)

If you don't want to be tracked, don't use OpenID.

If I go to a blog and enter a comment with the name Kelly Clowers and give my website as www.clowersnet.net/~krc/, how do you know that I am really the Kelly Clowers who owns that website? This example is one of the original use cases for OpenID.

Now anyone can google Kelly Clowers and if an OpenID post turns up in the results, you can be fairly sure it was really the owner of www.clowersnet.net/~krc/ (which is presumably me, since that website specifically mentions this account (which is a solution that can work for main accounts, but I don't really want to list every one-off comment I ever made on random blogs)). Of course, a page could be hijacked, but the point is that imitating someone is not as trivial as entering someone else's name and website.

Not being tracked when you don't want to be tracked could be an issue if websites started accepting *only* OpenID, but I haven't seen anyone do that yet, and I doubt many will ever do that. And I don't think OpenID is really intended for online banking and shopping and the like. Also, if you don't want to be tracked, you could set up a second OpenID account that does not link to your primary account or to your real name.

Re:This is a huge blow to privacy on the net... (3, Insightful)

TheRaven64 (641858) | more than 7 years ago | (#18063098)

Think what it could be like when sites only accept OpenID authentication coming from certain sources like the provider your IP is originating from?
Then people won't go to those sites, because they won't be able to access them from public terminals, their friends house, or use the same account from home as they use with their mobile phone.

The idea sucks and I didn't even get started on how it allows the operator of an OpenID authentication service to track which sites you go to.
The operator of the OpenID authentication service is you, or whoever you delegate the responsibility to. If you choose to ask a random person to look after your keys, don't be surprised if your house gets burgled.

Re:This is a huge blow to privacy on the net... (1)

maxume (22995) | more than 7 years ago | (#18063704)

Yeah, just like all those sites that won't accept hotmail.com addresses right now. All 7 of them.

Not just AOL users -- AIM users too (3, Interesting)

jalefkowit (101585) | more than 7 years ago | (#18063114)

The story is even bigger than the summary makes it out to be. It's not just AOL users who have an OpenID -- anyone who uses AOL Instant Messenger is included, too, as is anyone who uses AOL's "Journals" blogging platform. Both these services are free, and AIM especially is used by a far wider and more technical group of users than the term "AOL users" would suggest. (You /.ers who use AIM via Gaim, for example? You've got OpenIDs now.)

Speaking of AIM... (1)

SanityInAnarchy (655584) | more than 7 years ago | (#18063332)

When are they going to reimplement AIM via Jabber, so that AIM users can easily talk to Google Talk users and everyone else?

That would leave only Yahoo and MSN...

But really, it seems obvious to me that they are not implementing OpenID because they like open standards. Otherwise, why aren't they actually using open standards elsewhere?

Re:Speaking of AIM... (1)

Dan Ost (415913) | more than 7 years ago | (#18063420)


Implement an open standard when there is no compelling reason not to.

The fact that Jabber doesn't offer any advantage over their already implemented and established AIM protocol
might be a compelling reason for them not to sink resources into it.

Re:Speaking of AIM... (1)

SanityInAnarchy (655584) | more than 7 years ago | (#18063430)

Except the advantage of being interoperable with every other IM service out there that decides to use it.

Is there actually a compelling technical reason to use their AIM protocol instead of Jabber? Because I can think of a couple of compelling reasons to use Jabber instead of AIM.

Re:Speaking of AIM... (1)

Lehk228 (705449) | more than 7 years ago | (#18063708)

it's about control if they enable a fully open jabber server as the backend for AIM someone will register a name like AOLCustomerService@techsupportteam.net and scam the AOLamers out of their passwords, then use the passwords to send spam to people on that buddy list.

Uh oh (4, Funny)

Conspiracy_Of_Doves (236787) | more than 7 years ago | (#18063162)

The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology.

I think I see the flaw in your plan.

When to put all your eggs in one basket? (1)

Apoptosis66 (572145) | more than 7 years ago | (#18063296)

So this topic is currently being debated in my company. The question is when should one centralize or decentralize authentication/authorization? Seems to me that it depends on the system and what your trying to protect. At my company we currently have email systems, websites, computers, and other resources that all have separate authentication/authorization. The problem we are seeing is that maintenance of these systems has gotten out of hand, leading to users who have left the company still having access to some resources. Thus, decentralization has lead to security risks. This makes it hard to rotate passwords in a reasonable manor, also a security risk. Seems to me however, on the internet this may be a bad idea. If my yahoo email is compromised, I like the security of not having my bank account also compromised. The single point of failure is a major security risk. That being said I have worked on a few bank websites and have several examples where a users account was compromised, and we couldn't find any compromise of our system. After lengthy discussions, it turns out some other site the user was using was compromised, and the user just happened to be using the same login and password with us. You can scream education all you want, but only having to remember one password is what users really want to do. So I ask \., when do you centralize and when do you decentralize? There must be some set of rules here. Maybe decentralize when your protecting the system itself, but centralize when your protecting a single resource in a big system?

Re:When to put all your eggs in one basket? (1)

silas_moeckel (234313) | more than 7 years ago | (#18063646)

As centralized as you can stand it. SSO is a bit of a holy grail in big corp IT right now. Users are dumb users can barley remember where there cubicle is forget more than one password. This being said reducing the complexity and time they spend typing in passwords is a good thing. It may sound strange but having a sso servers around make it easy to enforce password rotation, add in secondary tokens and the like while only requiring one system to support the rules not every system you have so it can make things more secure vs a unified password distributed everywhere. If you have any sort of compliance and auditing requirements the sso servers can also help track what users are logging into what from where.

Now that being said the people the fix things need something very very hard to break, to date for me that has meant a centralized system that converts all the passwords and deploys them to the hardware locally. It's gotten better as the one way functions have gotten stronger but we still insist on 30 days rotation. Same system pushes generated local admin passwords to workstations. It's all home grown scripts layered on top of out inventory tracking database.

Intranet (1)

hey (83763) | more than 7 years ago | (#18063374)

Most talk about OpenID is on the big Internet but I thing it could be used within a big company's Intranet quite nicely. There are always diverse systems that require logins. LDAP is the current "solution" but its quite a pain.

OpenID Administrator (1)

Eric Damron (553630) | more than 7 years ago | (#18063402)

This is the OpenID Administrator. We had a server crash and must rebuild our database. Please click on the link below and begin the process of verifying your OpenID information. Failure to do this will result in your OpenID account being disabled. This request is mandatory for you to comply.

We apologize for this inconvenience.

piles of dead jews (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18063422)

THE TROLL POLKA (ARSCHFICKEN MIT ZIEGEN)
By Serial Troller, 2002-06-25

Is das nicht ein early post? Ja! Das ist mein early post!
Is das nicht ein Goatse ghost? Ja! Das ist mein Goatse ghost!
Early post, Goatse ghost,
Oh, du schoene, Oh, du schoene, Oh, du schoene, Slashdot sucks!

Is das post at minus one? Ja! Das ist at minus one!
Is das trolling so much fun? Ja! Das trolling is so fun!
Minus one, trolling fun, Early post, Goatse ghost,
Oh, du schoene, Oh, du schoene, Oh, du schoene, Slashdot sucks!

Is das nicht ein big crapflood? Ja! Das ist mein big crapflood!
Is it worthless Linux FUD? Ja! Das ist mein Linux FUD!
Big crapflood, Linux FUD, Minus one, trolling fun, Early post, Goatse ghost,
Oh, du schoene, Oh, du schoene, Oh, du schoene, Slashdot sucks!

Is das nicht der CowBoiKneel? Ja! Das ist der CowBoiKneel!
Is dis nicht his manchode meal? Ja! Das ist his manchode meal!
CowBoiKneel, manchode meal, Big crapflood, Linux FUD,
Minus one, trolling fun, Early post, Goatse ghost,
Oh, du schoene, Oh, du schoene, Oh, du schoene, Slashdot sucks!

Is das nicht ein WIPO Troll? Ja! Das ist der WIPO Troll!
Is das nicht ein Goatse hole? Ja! Das ist der Goatse hole!
WIPO Troll, Goatse hole, CowBoiKneel, manchode meal,
Big crapflood, Linux FUD, Minus one, trolling fun, Early post, Goatse ghost,
Oh, du schoene, Oh, du schoene, Oh, du schoene, Slashdot sucks!

Is das nicht Jon Katz' slave boys? Ja! Das ist Jon Katz' slave boys!
Und are they not Taco's sex toys? Ja! They are Taco's sex toys!
Katz' slave boys, Rob's sex toys, WIPO Troll, Goatse hole,
CowBoiKneel, manchode meal, Big crapflood, Linux FUD,
Minus one, trolling fun, Early post, Goatse ghost,
Oh, du schoene, Oh, du schoene, Oh, du schoene, Slashdot sucks!

Is das nicht ein trolltalk thread? Ja! Das ist ein trolltalk thread!
Is it nicht now FUCKING DEAD? Ja! Is really FUCKING DEAD!
Trolltalk thread, FUCKING DEAD! Katz' slave boys, Rob's sex toys,
WIPO Troll, Goatse hole, CowBoiKneel, manchode meal,
Big crapflood, Linux FUD, Minus one, trolling fun,
Early post, Goatse ghost,
Oh, du schoene, Oh, du schoene, Oh, du schoene,
Slashdot sucks!

____________________

Change Log:

                * Subtle changes to most verses. It sounded really gay before.
                * Removed all references to Taco's pud. May have been high at time. Will investigate further.
                * Finally think I have goat sex written correctly in German. I think. Arschficken?

(C) 2002 Serial Troller. Permission to reproduce this document is granted provided that you send all the bukkake porn you can find to serialtroller@hotmail.com.

    - poopbot: information likes to be narrow

Just use SINs (1)

flyingfsck (986395) | more than 7 years ago | (#18063428)

Everybody else does and it is managed by the friendly revenue service for the benefit of all Americans. There is no need to invent a new set of numbers... ;)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...