On Wed, Oct 29, 2008 at 10:15 PM, <[EMAIL PROTECTED]> wrote: > All of my websites run php forum and CMS software of varying flavors > so I am not convinced that OpenID is a viable solution to secure them > against the kinds of attacks I have see recently
OpenID is a means of authentication using a trusted third party. Its main benefit is to make it easy for users to register for and consume services at many different sites, without having to use different passwords at each one. A secondary benefit is that users don't need to trust the authentication mechanisms of each site they log into, they only need to trust their OpenID provider. OpenID is not going to do much of anything to make your sites more secure, unless your accounts were hijacked because the authentication process was inherently insecure (it took place over http, or passwords were stored as plain text, or it is easy to brute-force the login script). OpenID doesn't do anything about cross-site-scripting, sql injection, insecure file uploads, or any of the 999 other ways that clever bad guys attack poorly written webapps. Chris Snyder http://chxor.chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
