Single login for Wine sites?
jan at zerebecki.de
Mon Apr 6 10:04:02 CDT 2009
On Sun, Mar 22, 2009 at 05:39:53PM +0100, Kai Blin wrote:
> On Sunday 22 March 2009 17:29:33 Igor Tarasov wrote:
> > Maybe add openid support and let users connect existing accouts to one
> > openid?
> We decided to go for a secure system, if at all. OpenID was discussed and
> quickly dropped at the last WineConf.
> Google for "openid security issues" to see what I'm talking about.
I read a bit about OpenID security issues and from that it seems
that OpenID is more secure than what we currently use if the
Relying Party ( the website that wants to authenticate a user,
i.e. winehq.org ) and the OpenID Provider get their
implementation right (i.e. I have not found any security bug in
the spec itself). The downside is that there is one more party
that can be compromised, the upside is that this party is usually
the hardest to compromise and that it ensures that some attacks
don't work on the other two parties (that previously worked).
I may be wrong, so please correct me.
Does anyone know of a possible attack against an OpenID enabled
winehq.org that would not in principle be possible against our
current login system? ( i.e. CSRF or XSS against an OpenID
Provider is a possibility, but it is also a possibility against
winehq.org with our current login system, so it doesn't count;
anything that needs sniffing of the communication from/to the
user or OpenID provider doesn't count as our current login system
is not protected against that, same with Phishing )?
More information about the wine-devel