OpenID is being touted as a lightweight, Open and distributed answer to the Single Sign-On problem. Don’t be fooled. OpenID is insecure on several levels; particular weaknesses include DNS poisoning, hijacking via Cross-site Request Forgery (CRSF), and the fact that your accounts are only as secure as your cheap web host. OpenID is not nearly as lightweight as it claims, and core aspects of the technology may be patented.

nn

I was going to elaborate on this summary, but then I found Stefan Brands’ The problem(s) with OpenID which provides a detailed and compelling explanation.

nn

The lesson here is that protocol design is difficult, requires extensive domain knowledge, and should never base its security on less secure components of the overall system.

n