sunnuntaina, lokakuuta 14, 2007

Warning: your OpenID login might be compromised

For a few months now I have used one web service that supports OpenID logins. I decided it was time for me to get me an OpenID and start using it.

The good thing about OpenID is it is a completely open system where multiple providers can compete. It is not a proprietary system that would be tied to the success or failure of one company and it is not encumbered by patents or other intellectual property issues.

I looked at some of the OpenID providers and could not really see much difference there. I knew OpenID makes it possible to use any URL as your identity, so I wanted to use my blog URL. When I was looking, the only provider that openly told how to do that was So I chose to register with them.

I have also started using Tor, The Onion Router to hide my location on the web (and also turned off cookies by default, installed NoScript and Adblock Firefox extensions.)

Yesterday I was told Tor was used to steal passwords.

I immediately thought this can only happen if people mistook Tor for something else than it is: Tor does not encrypt or scramble your traffic and magically make it secure, it only hides where and who you are. Tor cannot hide who you are if you reveal that in the content of the messages in the form of user names and passwords.

So, if you are dumb enough to send passwords in the clear, you deserve to get your password stolen. And of course I'm not that stupid. All the important web sites I use login over SSL-protected pages... except

When I use my OpenID URL to log into OpenID-enabled web services, I'm redirected to's login page where I log in. I had been lazy and not verified that login page is secured with SSL. It is not. Sometimes the login page is not SSL protected, but the login form is posted back to the server over SSL. But this is not the case with either.

This means it is possible someone running a Tor exit node has seen my login name and password in the clear.

I started to fix this issue. First, I wanted to know if there is a way to login to securely and I just haven't used it for some reason. If there was no secure login available, I would find another OpenID provider.

After some digging around, I found has recently made it possible to login securely on an SSL protected page. (Link to announcement in the title of this post.)

I have now updated my login settings to use the SSL protected login page and changed my password at Also I sent an email to's support and asked them to: 1) Add a secure login link to the old cleartext login page and 2) email their users telling them to start using the secure login and change their passwords.

I think it would be decent of them to do these things but if I were, I would probably be too embarrassed to tell my users I have made them send cleartext passwords.

Ei kommentteja: