digg

Join DiggAbout

Discover and share the best of the web!
Learn more about Digg by taking the tour.

See the original image at techcrunch.com

Digg To (Finally) Integrate OpenID?!

techcrunch.com — When Digg ’s Lead Architect Joe Stump took the stage at the Facebook Developer Conference in San Francisco earlier today, something in one of his screen shots caught our attention. He was there to show how users will soon be able to log in to Digg without an account via their Facebook credentials (the new Facebook Connect product). But also included

Bury
show profanity settings
expand all
  • u8muhrice, on 07/24/2008, -0/+16very interesting.. cant wait to see what happens
    • neoform, on 07/24/2008, -4/+12I can.

      I don't see myself ever using open ID even if it's available.
    • dandonia, on 07/24/2008, -3/+6Open ID is a really bad idea - sure it's cool that you can use the same account detail accross multiple sites but it won't be long (read already started to happen) before hackers start putting fake login boxes that look like facebook credentials on their site. Then nieve people put their account details in and the hacker has their username and password. Most people use the same password and your username for facebook is your email address. This means hackers will likely have your email address and password -

      http://external.pureplay.com/face-app/referral/Ref ...

      For all I know that could be a legit site but how hard is it to fake these things.

      The hacker can then see what you are signed up to - Amazon, ebay etc all of which have your credit card details stored on your account - you see where I am going with this.

      Good idea in if everyone was honest - bad idea because they aint.
      • dbr_onix, on 07/24/2008, -1/+5Gah, no it's not. The username/password in a box schema is an equally bad (or even worse) idea - most people use the same password for their login as their email account, and that email could have far far more than just a list of sites they use..

        OpenID makes is incredibly easy to do two-stage authentication - for example, when you enter your openid url in a site, it text-messages/instant-messages you and asks you to confirm that you are currently trying to log into http://example.com - you then reply "yes" and it logs you in.

        Also, faking an OpenID login box is far more work than faking a standard login box.. Faking standard username/password box:

        - A form with two fields, redirects to http://evil.example.com/login.php
        - That login.php script writes the username/password, and maybe the referer to a file.

        That's it. It can also quite easily redirect back to the proper login address so it looks like all is well.

        To fake an OpenID form you have to have a form, that redirects to a page that looks exactly like the users openID endpoint login page (different for all providers), then get their password and store it. To actually make it pass the login info is very difficult as far as I'm aware (the site you're logging into checks with the endpoint too), and if you are doing two-stage auth, it's almost impossible really..

        The thing with OpenID is that the evil site you enter the ID never gets your password, it redirects to your openID endpoint URL (say, facebook). To fake that, you have to imitate both the site (say, ebay) *and* the endpoint without arising suspicion..

        The biggest problem with OpenID auth is where evil people make a login form that has "OpenID URL" and a password box, since people are used to entering a username/email and password.

        Note that I've not looked into OpenID security that much, I just understand the basics of how it works. Yes OpenID has potential to be easily phishable, but it also has the potential to be absurdly more secure than the current login system..
      • bastawhiz, on 07/24/2008, -0/+2OpenID is broken in that it's more difficult to use than a simple username/password box. With multiple screens to go through on signup, how is any average user supposed to understand that they need to be sent to a COMPLETELY different site so they can authenticate themselves against a different service that authenticates them with the site they were just on? From a usability standpoint, the average user has no reason to change their entire mental process for simply LOGGING IN so they can use some obscure technology that they ordinarily woundn't be required to use anyway.
      • blakeg, on 07/24/2008, -0/+3Unless I'm totally misreading your post, this criticism doesn't make any sense to me. That's not how OpenID works at all. The whole point is that you don't have to provide your password to some untrusted site. Your OpenID provider takes care of the authentication. You always login to your OpenID provider, and you never provide authentication info to an individual website.

        Unless I'm confused, OpenID FIXES the problem you're describing, it doesn't cause it.
      • Atomic1fire, on 07/24/2008, -0/+1Plus in order to be an effective scam
        they would have to compensate for every OpenID provider
        meaning not only would they have to fake an aol login page
        but a yahoo page (including if you use the special yahoo feature that lets you customize the login for that computer to stop people from faking a yahoo page), a myspace page, a typekey page, a verisign page (and they would also have to crack many different types of security including image based passwords and heavily encrypted stuff)
        point is that when use of openID is open then it becomes near inpossible to scam everyone
        because being as open as OpenID is anyone can use any provider
        whereas with something like ebay or Live the look is consistent and anyone can be fooled
      • dandonia, on 07/25/2008, -0/+1What I am saying is that the more people get used to seeing facebook logins for completely different websites the more trusting they become of it which means people can easily aquire someones facebook account

        The poker site I posted uses facebook credentials to log someone into their site - I could make a site right now - put it on the net with a facebook credentials box - because you have seen this all over the place you enter your details and I grant you access to my site -I now have your facebook account details.

        you would be non the wiser - I would be able to use your account details to then log in to anything else with the same credentials including (most likely your email account)

        If 99% of sites used facebook credentials for logins - and I made a fake one to aquire your details - not only would you not have a clue it was me that stole your credentials but I would be able to access 99% of sites as you. In other words it is an easy way for ID fraudsters to aquire your life.
    • jrbrewin, on 07/24/2008, -0/+1does this mean it's going to stop giving me nonsensical bad token, secondary captcha prompts, and stop logging me out every 5 fricken minutes? if so, it's a good thing.
  • gbouchard, on 07/24/2008, -5/+33What is OpenID? ... oh yeah, that's the thing that help you save sooooooooo much time :D
  • ar0ne, on 07/24/2008, -8/+26I can see it now,

    "David diggs Jessica"
    "Mark buried Alan's video"
    "404 Stephanie's profile has exceeded maximum bandwidth"
    "Jessica buried the new Facebook design"
    "Tony joined the group, We are Digg, All Your Facebooks are belong to us"
    • WriterSD, on 07/24/2008, -0/+4I would bury the new Facebook design. :-/
  • Atomic1fire, on 07/24/2008, -0/+6(and facebook but OpenID is clearly more important)
    didn't Myspace just announce becoming an OpenID issuer?
    this should be interesting, very interesting.
    • Culyt, on 07/24/2008, -0/+3Every man an his dog is an OpenID provider, but that's close to useless since you can setup your own in about 5 seconds. Although it does help a bit if there are lots of people who have OpenIDs without trying to get them, although they also need to know they actually have them.

      I guess the current solution would be to have a massive page of all the services that also happen to be providers such as FaceBook, LiveJournal, yahoo, Microsoft (I think they have one now or was it just planning?) so users can choose.

      But if those services aren't also consumers then you still have a metric butt load of loggins (although its an improvement over one for every site).


    • dbr_onix, on 07/24/2008, -0/+3There are a huge number of OpenID end-point providers. The problem currently is there is no-where to login using them...

      While myspace or whomever may have announced that they are becoming openID providers, you can't actually use them to login..

      http://openiddirectory.com the OpenID providers section is 9 *pages*, the "Images" section has 5 sites.. Most of the sections have less than 10 sites..
  • upick, on 07/24/2008, -2/+24would this mean digg will instantly double its users or triple well it would be a lot of new users on digg... This could create a huge mess to our digg eco system!
  • kitsched, on 07/24/2008, -5/+14My 2 cents: the MOAR sites supporting OpenID the better!
  • anshuman, on 07/24/2008, -2/+8opend id , Wants.
  • wiretapped, on 07/24/2008, -7/+60Now the bad guys can access all our ***** with one password.
    • Culyt, on 07/24/2008, -13/+3So setup a bunch of different OpenIDs...
      • daza, on 07/24/2008, -1/+13What a great idea! Wait a second, isn't that just like what we have now? You know, multiple accounts with different passwords?
      • PhailQuail, on 07/24/2008, -0/+4@daza, But now it has a catchy new name and logo!
      • blooby, on 07/24/2008, -0/+4Seems like you forgot the /sarcasm tag
    • dbr_onix, on 07/24/2008, -0/+4..because people don't ever reuse passwords currently, do they..

      OpenID is inherently more secure than the usual username/password simply because you don't give the site you're logging into your password.

      You simply say "I am myopenidprovider.com/example", then the website checks with myopenidprovider.com that you are in fact a valid user, and are currently logged in (well, first it redirects you to your openid provider

      The main problem is phishing OpenID providers, which is harder to do than faking a login form (two text fields and a simple PHP script - you have to detect which provider someone is using and fake their layout), and it's very easy to add additional, hard/impossible to fake steps like confirming via SMS or email.
    • Macskeeball, on 07/24/2008, -0/+3Combine all of those "Forgot your password?" links with a compromised email address. It's the same situation now without OpenID. OpenID also offers security benefits because you log into only one place- your OpenID provider. Your OpenID provider is more likely to take extra efforts to insure greater security, such as using SSL and supporting multifactor authentication (ex: Verisign PIP).
    • Atomic1fire, on 07/24/2008, -1/+2Then don't use a password
      Vidoop uses image based verification meaning you need to remember details (such as toy, cat, dog, ect) only
      Or Verisign which allows special verification keys you can buy
  • InorganicMatter, on 07/24/2008, -4/+7Oh no, please don't. I already have to maintain a Google and Windows Live ID, both of which try to be the "end all" ID systems.
    • ho0ber, on 07/24/2008, -6/+4... The number of logins you need to maintain can only go down as people introduce openID to their systems. So instead of having your google, windows live, and digg (maybe facbook or others), you could have google, windows live, and openID. So worst-case scenario, you would end up with exactly the same number of logins.
      • RemoteSojourner, on 07/24/2008, -0/+2Google ID is an Open ID.
      • Atomic1fire, on 07/24/2008, -0/+1Yeah
        Someone made a google app engine OpenID provider (that uses your google account obviously)
        and you can also create a blog with blogspot and use that (and you can also make comments via open ID
    • PhailQuail, on 07/24/2008, -1/+4Read the first 4 letters of OpenID.

      The only possibility OpenID will fail is because it would be replaced by a (still open-source) alternative.
    • RemoteSojourner, on 07/24/2008, -0/+4If Digg starts using OpenID you can use Google ID on Digg. That means one less ID
    • WarBiscuit, on 07/24/2008, -0/+4Don't know about Microsoft, but I'm pretty sure I read recently that
      Google is signed on to become an OpenID "provider",
      which means that your google account can be used as an OpenID
      account... which means you're down to 2 accounts once this all goes through.
  • axepourhomme, on 07/24/2008, -1/+4So many companies have announced their support to OpenID and we still see any major sites compatible with this cool technology... So disappointing so far.
  • buckchoris, on 07/24/2008, -8/+3Myspace and now even Digg,this open Id thing is just B.S,I wonder who is the main architect and the people who are supporting this.
    • dbr_onix, on 07/24/2008, -0/+1What evidence do you propose to support your claim that this "open Id thing is just B.S"?

      If you actually care, and aren't just trolling, see http://openid.net/what/ and http://openid.net/foundation/

      And the first part of the name ("open") means you can suggest/vote-on improvements to be incorporated into the openID spec..
    • Atomic1fire, on 07/24/2008, -0/+1Its not BS
      its the idea that you should choose which account you want to use for any service
      with little to none registering involved (usually giving an email and user name is the only work you need to do everything else can be covered by your ID)
  • ChayesFSS, on 07/24/2008, -10/+16I personally hate the idea
  • avothecat, on 07/24/2008, -11/+17great.
    now if someone finds out your password they can take over your accounts on website all over the internet.

    not to mention the fact that when it becomes general that you use one account to access everythhing on the internet... the government will probably want to get involved. one universal internet website access account, the idea gives me the chills.
    • jonshipman, on 07/24/2008, -4/+2too bad the internet is international. And governments can't agree to anything.


      Maybe the next World War will be over OpenID :o
    • pentalive, on 07/24/2008, -0/+4Yup, as you use one authentication method for more things that one method becomes more valuable.

      For your second worry, even if the Government used open id on it's .Gov websites - they don't get your password, so they cant just go as you to the other sites you visit. They only get a yes or no, to indicate if you authorized or not.

      Look at Vidoop, no passwords even.
    • Macskeeball, on 07/24/2008, -0/+2What if your email account were to be compromised today? Think about all of those "Forgot your password?" links. OpenID is no less secure than that. Also, you can be your own OpenID provider if you so choose.
  • nubnub, on 07/24/2008, -3/+10No.
  • 9966, on 07/24/2008, -5/+6Just what I've always wanted--someone to be able to attach my name to my anonymous internet trolling.
    • Culyt, on 07/24/2008, -0/+7Actually OpenID makes it easier to be anon:

      * You can setup as many fake accounts as you want.
      * Use one account but differentiate what each website information sees called personas, although If you where to search across sites for the OpenID you might be able to get information from one account to the other if its mirrored on those sites which isn't often although you can see the other sites that anon uses.
      * use mailinator type OpenID providers that always respond a successful login.
      * Setup your own very simply.
      * Use a dynamic IP to host your own simple provider.

      It also helps spammers, but I think requiring captuas is a good solution, you need to do this now days anyway and its not hard for spammers to do the whole click link in email thing automagically anyway.
    • neFariou5, on 07/24/2008, -0/+1Have one openid for anonymous internet and one for your real name and purchases.
  • MrViklund, on 07/24/2008, -11/+5I don't like this OpenID at all. It's a huge security risk.
    • D14BL0, on 07/24/2008, -2/+3Really? It's been around for quite a while and there's been no security risk yet.
      • MrViklund, on 07/24/2008, -4/+1Who cares if it has been around for a while. 1 ID for more then one service is just to beg for trouble.

        By the way. On digg, you are not entitled to your opinion. Because people will digg you down if you don't agree with them.
    • blankoboy, on 07/24/2008, -3/+3Please elaborate....
      • MrViklund, on 07/24/2008, -3/+11 ID for more then one service is just to beg for trouble.
      • Atomic1fire, on 07/24/2008, -0/+1You can choose your provider
        allowing it to be as safe or unsafe as you want it to be
        and you can also use delegates
        which is a fancy term meaning that you are telling the website one site is your OpenID but in all reality you use another server with the website you provided being a redirect via a special code and you can change the server its redirecting to and so password loss or theft becomes a nonissue
  • CoMpUtErITGuY, on 07/24/2008, -4/+2Joe Stump the Yngwie wannabe guitar player?
  • gameradam, on 07/24/2008, -3/+10Does anyone actually USE openID?

    Might sound like a silly question but I don't know a single person who uses it. I think openID is a great concept but actually getting it out there onto different websites seems quite difficult and challenging.
    • PhailQuail, on 07/24/2008, -0/+6I've used it to login to Sourceforge. But its under-utilised to be of much use in other locations.
    • maexus, on 07/24/2008, -0/+2It's not that hard to integrate into the site if your coders are any good and wrote code that is designed to be expandable.
    • MavRevMatt, on 07/24/2008, -0/+2If it was offered on more sites I visit I definitely would. Like you said, it's a great concept but the reason no one uses it is because the implementation is so limited right now.
    • dbr_onix, on 07/24/2008, -0/+1I try to, but there is about, erm, one site I use that supports openID logins (userstyles.org)
  • D14BL0, on 07/24/2008, -3/+4It's about time. You'd think something as web 2.0 as Digg would have done this ages ago.
  • Bloodwine, on 07/24/2008, -5/+4Call me old-fashioned, but I prefer completely separate credentials for each and every site I visit. It's amazing how much mnemonic passwords help in me recalling them from memory.

    If someone compromises my account, I want the damage to be as localized as possible.
    • WarBiscuit, on 07/24/2008, -0/+3I agree with you in theory, compartmentalization is good.
      However... I categorize most of the accounts I have into four groups:
      critical - sites which actually control my personal info, like bank logins, etc.
      trusted - sites which contain personal credentials, like online stores who know my CC.
      general - sites which contain only minimal personal info, like my name.
      untrusted - goes without saying, anything even slightly shady,
      like some random unknown webcomic that wants an account before I can post.

      For critical and trusted categories, a separate account is a given,
      since a compromise there MUST be contained.

      However, I'll probably use a single login for the "general" category,
      which includes stuff like slashdot, digg, reddit, etc... it's a question
      of effort in securing the account vs the expense if it's compromised.
      So what if someone can suddenly post as me in a few places?
      I don't value my karma _that_ much.

      The other thing is, I can still compartmentalize by using separate openid accounts...
      and I'm still only storing my password with my openid provider,
      not with the website themselves.

      As for untrusted sites, well... those guys all get a single crap account / password with fake info
      anyways, so openid would be no loss... except I might not want them to be able to work together,
      so no openid for them :)
    • MavRevMatt, on 07/24/2008, -0/+1But with OpenID the site you're logged onto doesn't have your password. That's so many less ways for it to be compromised.
  • mtthwmiddleton, on 07/24/2008, -2/+7No one uses OpenID b/c no SITES use OpenID. The thing is, even though, yes there's one password to all your accounts now you can focus on securing that one point of entry. I have a token that I got from paypal for $5 that generates a new 6 digit number every 30 seconds, it asks for that 6 digit number when I login to my open id so without that it's useless. Because of that things that use my open id are more secure than any other password b/c it's asking for something I know (my password) and something I have (the token) so it's multifactor authentication, and any place that uses open ID now has that w/o having to implement a multifactor authentication login themselves.
    • dbr_onix, on 07/24/2008, -1/+2First sane comment I've seen on this page.. That is by far the best feature of OpenID.

      If you are paranoid, you can use (or create!) an OpenID end-point that requires one of those random-number-thingys, then to confirm via SMS, the SHA-1 sum of your retinal-ID salted with numeric structure of your first-born child's DNA. Or you can use a throw-away account in the vein of mailinator.com, or one that instead of authenticating via HTTP, you login using your instant-messaging account, or even by phoning your provider and entering a PIN via touch-tone.

      And, as you said, when there is one point of entry (the OpenID provider), you focus on the security of that end-point, and you don't have to depend on Digg (and every other site on the internet) implementing childs-DNA-salted-retinal-ID-auth
  • neFariou5, on 07/24/2008, -3/+5For people whining about security: OpenID is optional.
    For people complaining about lack of OpenID supported sites: Once Digg implements it and other big sites such as google all the small sites will jump aboard.
  • titanx413, on 07/24/2008, -4/+3booooo
  • redwallhp, on 07/24/2008, -4/+3I don't need OpenID. Firefox remembers my login details for me and auto-fills them, so why do I need OpenID? I have a server set up on my personal domain though, for those sites that insist on it...
    • Atomic1fire, on 07/24/2008, -0/+1You can auto fill OpenID as well as well if I remember right..
      OpenID is optional as many sites still allow signups as well as OpenID's
      Its just a nice option to avoid registering and if you want security on your account by putting your info with a service you trust such as with verisign or yahoo (maybe not aol considering that one search query leak but then again I seldom use aol search and I don't care that much)
  • mozert, on 07/24/2008, -4/+2I don't like this idea.
    • eggballs, on 07/24/2008, -0/+1I don't like that you don't like this idea.
      • mozert, on 07/25/2008, -0/+1You don't understand, dumbass. It is the very true identity of Diggers that is being threatened.
      • eggballs, on 07/25/2008, -0/+1mozert calls me a dumbass. Ironically...
  • smotpoker1, on 07/24/2008, -3/+2What I don't understand is why do we even have to id ourselves to comment on any ***** page?With the event of the paid off judge backing mpaa to go through all of youtube is the biggest slap in the face that anonymity has had in the history of the Internet.Why do they make you id yourself at every single forum and 98 % of the comment page makes you sign in WHY?why?why?
  • P5ycHo, on 07/24/2008, -3/+3openID == bad !!
    It stores your login history of visited sites in one place.
    Sure, it's handy, but I don't like the 'privacy' aspect of it.
    • ShaunO, on 07/24/2008, -0/+2Then run your own openid provider. Half the point of OpenID is that you *do* have that control.
  • MScrip, on 07/24/2008, -4/+2I already have logins for a tons of sites... so now I can create an OpenID and use that instead?

    Oh, wait... I already use something similar... it's called "Same Login and Password for every site."

    • unrealmp3, on 07/24/2008, -0/+4Ok, and what do you do if your password is stored in plaintext on a server and become compromised?

      OpenID is a Single-Sign-On provider, not a Single-Password. This way your password is securely stored, and a single password change will reflect on all the sites tied to it.
      • MScrip, on 07/24/2008, -0/+1I wish you would have responded to the first line of my comment.

        I am already user MScrip on Digg. If Digg became an OpenID site, will I have to create and use a new ID, and lose all of my comments, Diggs, etc?

        I know what OpenID does... I'm just already have logins all over the web.
      • Atomic1fire, on 07/24/2008, -0/+1Not if digg allows you to tie in one or more OpenID's to one previously created account
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.