digg

Facebook Connect Join Digg About
See the original image at techcrunch.com

Digg To (Finally) Integrate OpenID?!

techcrunch.com When Digg’s Lead Architect Joe Stump took the stage at the Facebook Developer Conference in San Francisco earlier today, something in one of his screen shots caught our attention. He was there to show how users will soon be able to log in to Digg without an account via their Facebook credentials (the new Facebook Connect product). But also included

Who dugg this? Made popular Jul 24, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

87 Comments

show profanity settings
expand all
  • wiretapped, on 07/24/2008, -7/+60Now the bad guys can access all our ***** with one password.
  • gbouchard, on 07/24/2008, -5/+34What is OpenID? ... oh yeah, that's the thing that help you save sooooooooo much time :D
  • IHaveIssues, on 07/24/2008, -0/+23Akin to the arrival of AOL users to the internet.
  • upick, on 07/24/2008, -2/+24would this mean digg will instantly double its users or triple well it would be a lot of new users on digg... This could create a huge mess to our digg eco system!
  • ar0ne, on 07/24/2008, -8/+25I can see it now,

    "David diggs Jessica"
    "Mark buried Alan's video"
    "404 Stephanie's profile has exceeded maximum bandwidth"
    "Jessica buried the new Facebook design"
    "Tony joined the group, We are Digg, All Your Facebooks are belong to us"
  • u8muhrice, on 07/24/2008, -0/+17very interesting.. cant wait to see what happens
  • cyssero, on 04/18/2009, -1/+13What a great idea! Wait a second, isn't that just like what we have now? You know, multiple accounts with different passwords?
  • mk3k, on 07/24/2008, -0/+9Eco system? It's not really a technology group anymore.
  • kitsched, on 07/24/2008, -5/+14My 2 cents: the MOAR sites supporting OpenID the better!
  • neoform, on 07/24/2008, -5/+12I can.

    I don't see myself ever using open ID even if it's available.
  • nubnub, on 07/24/2008, -3/+10No.
  • gameradam, on 07/24/2008, -3/+10Does anyone actually USE openID?

    Might sound like a silly question but I don't know a single person who uses it. I think openID is a great concept but actually getting it out there onto different websites seems quite difficult and challenging.
  • Culyt, on 07/24/2008, -0/+7Actually OpenID makes it easier to be anon:

    * You can setup as many fake accounts as you want.
    * Use one account but differentiate what each website information sees called personas, although If you where to search across sites for the OpenID you might be able to get information from one account to the other if its mirrored on those sites which isn't often although you can see the other sites that anon uses.
    * use mailinator type OpenID providers that always respond a successful login.
    * Setup your own very simply.
    * Use a dynamic IP to host your own simple provider.

    It also helps spammers, but I think requiring captuas is a good solution, you need to do this now days anyway and its not hard for spammers to do the whole click link in email thing automagically anyway.
  • Atomic1fire, on 07/24/2008, -0/+6(and facebook but OpenID is clearly more important)
    didn't Myspace just announce becoming an OpenID issuer?
    this should be interesting, very interesting.
  • ChayesFSS, on 07/24/2008, -10/+16I personally hate the idea
  • PhailQuail, on 07/24/2008, -0/+6I've used it to login to Sourceforge. But its under-utilised to be of much use in other locations.
  • anshuman, on 07/24/2008, -2/+8opend id , Wants.
  • avothecat, on 07/24/2008, -11/+17great.
    now if someone finds out your password they can take over your accounts on website all over the internet.

    not to mention the fact that when it becomes general that you use one account to access everythhing on the internet... the government will probably want to get involved. one universal internet website access account, the idea gives me the chills.
  • mtthwmiddleton, on 07/24/2008, -2/+7No one uses OpenID b/c no SITES use OpenID. The thing is, even though, yes there's one password to all your accounts now you can focus on securing that one point of entry. I have a token that I got from paypal for $5 that generates a new 6 digit number every 30 seconds, it asks for that 6 digit number when I login to my open id so without that it's useless. Because of that things that use my open id are more secure than any other password b/c it's asking for something I know (my password) and something I have (the token) so it's multifactor authentication, and any place that uses open ID now has that w/o having to implement a multifactor authentication login themselves.
  • anaesthetica, on 07/24/2008, -0/+5Eternal September

    http://en.wikipedia.org/wiki/Eternal_September
  • blooby, on 07/24/2008, -0/+4Seems like you forgot the /sarcasm tag
  • WriterSD, on 07/24/2008, -0/+4I would bury the new Facebook design. :-/
  • unrealmp3, on 07/24/2008, -0/+4Ok, and what do you do if your password is stored in plaintext on a server and become compromised?

    OpenID is a Single-Sign-On provider, not a Single-Password. This way your password is securely stored, and a single password change will reflect on all the sites tied to it.
  • PhailQuail, on 07/24/2008, -0/+4@daza, But now it has a catchy new name and logo!
  • dbr_onix, on 07/24/2008, -1/+5Gah, no it's not. The username/password in a box schema is an equally bad (or even worse) idea - most people use the same password for their login as their email account, and that email could have far far more than just a list of sites they use..

    OpenID makes is incredibly easy to do two-stage authentication - for example, when you enter your openid url in a site, it text-messages/instant-messages you and asks you to confirm that you are currently trying to log into http://example.com - you then reply "yes" and it logs you in.

    Also, faking an OpenID login box is far more work than faking a standard login box.. Faking standard username/password box:

    - A form with two fields, redirects to http://evil.example.com/login.php
    - That login.php script writes the username/password, and maybe the referer to a file.

    That's it. It can also quite easily redirect back to the proper login address so it looks like all is well.

    To fake an OpenID form you have to have a form, that redirects to a page that looks exactly like the users openID endpoint login page (different for all providers), then get their password and store it. To actually make it pass the login info is very difficult as far as I'm aware (the site you're logging into checks with the endpoint too), and if you are doing two-stage auth, it's almost impossible really..

    The thing with OpenID is that the evil site you enter the ID never gets your password, it redirects to your openID endpoint URL (say, facebook). To fake that, you have to imitate both the site (say, ebay) *and* the endpoint without arising suspicion..

    The biggest problem with OpenID auth is where evil people make a login form that has "OpenID URL" and a password box, since people are used to entering a username/email and password.

    Note that I've not looked into OpenID security that much, I just understand the basics of how it works. Yes OpenID has potential to be easily phishable, but it also has the potential to be absurdly more secure than the current login system..
  • dbr_onix, on 07/24/2008, -0/+4..because people don't ever reuse passwords currently, do they..

    OpenID is inherently more secure than the usual username/password simply because you don't give the site you're logging into your password.

    You simply say "I am myopenidprovider.com/example", then the website checks with myopenidprovider.com that you are in fact a valid user, and are currently logged in (well, first it redirects you to your openid provider

    The main problem is phishing OpenID providers, which is harder to do than faking a login form (two text fields and a simple PHP script - you have to detect which provider someone is using and fake their layout), and it's very easy to add additional, hard/impossible to fake steps like confirming via SMS or email.
  • pentalive, on 07/24/2008, -0/+4Yup, as you use one authentication method for more things that one method becomes more valuable.

    For your second worry, even if the Government used open id on it's .Gov websites - they don't get your password, so they cant just go as you to the other sites you visit. They only get a yes or no, to indicate if you authorized or not.

    Look at Vidoop, no passwords even.
  • RemoteSojourner, on 07/24/2008, -0/+4If Digg starts using OpenID you can use Google ID on Digg. That means one less ID
  • WarBiscuit, on 07/24/2008, -0/+4Don't know about Microsoft, but I'm pretty sure I read recently that
    Google is signed on to become an OpenID "provider",
    which means that your google account can be used as an OpenID
    account... which means you're down to 2 accounts once this all goes through.
  • dbr_onix, on 07/24/2008, -0/+3There are a huge number of OpenID end-point providers. The problem currently is there is no-where to login using them...

    While myspace or whomever may have announced that they are becoming openID providers, you can't actually use them to login..

    http://openiddirectory.com the OpenID providers section is 9 *pages*, the "Images" section has 5 sites.. Most of the sections have less than 10 sites..
  • Culyt, on 07/24/2008, -0/+3I suppose its to late to reverse that?
  • axepourhomme, on 07/24/2008, -1/+4So many companies have announced their support to OpenID and we still see any major sites compatible with this cool technology... So disappointing so far.
  • blakeg, on 07/24/2008, -0/+3Unless I'm totally misreading your post, this criticism doesn't make any sense to me. That's not how OpenID works at all. The whole point is that you don't have to provide your password to some untrusted site. Your OpenID provider takes care of the authentication. You always login to your OpenID provider, and you never provide authentication info to an individual website.

    Unless I'm confused, OpenID FIXES the problem you're describing, it doesn't cause it.
  • inactive, on 07/24/2008, -0/+3Combine all of those "Forgot your password?" links with a compromised email address. It's the same situation now without OpenID. OpenID also offers security benefits because you log into only one place- your OpenID provider. Your OpenID provider is more likely to take extra efforts to insure greater security, such as using SSL and supporting multifactor authentication (ex: Verisign PIP).
  • WarBiscuit, on 07/24/2008, -0/+3I agree with you in theory, compartmentalization is good.
    However... I categorize most of the accounts I have into four groups:
    critical - sites which actually control my personal info, like bank logins, etc.
    trusted - sites which contain personal credentials, like online stores who know my CC.
    general - sites which contain only minimal personal info, like my name.
    untrusted - goes without saying, anything even slightly shady,
    like some random unknown webcomic that wants an account before I can post.

    For critical and trusted categories, a separate account is a given,
    since a compromise there MUST be contained.

    However, I'll probably use a single login for the "general" category,
    which includes stuff like slashdot, digg, reddit, etc... it's a question
    of effort in securing the account vs the expense if it's compromised.
    So what if someone can suddenly post as me in a few places?
    I don't value my karma _that_ much.

    The other thing is, I can still compartmentalize by using separate openid accounts...
    and I'm still only storing my password with my openid provider,
    not with the website themselves.

    As for untrusted sites, well... those guys all get a single crap account / password with fake info
    anyways, so openid would be no loss... except I might not want them to be able to work together,
    so no openid for them :)
  • Culyt, on 07/24/2008, -0/+3Every man an his dog is an OpenID provider, but that's close to useless since you can setup your own in about 5 seconds. Although it does help a bit if there are lots of people who have OpenIDs without trying to get them, although they also need to know they actually have them.

    I guess the current solution would be to have a massive page of all the services that also happen to be providers such as FaceBook, LiveJournal, yahoo, Microsoft (I think they have one now or was it just planning?) so users can choose.

    But if those services aren't also consumers then you still have a metric butt load of loggins (although its an improvement over one for every site).


  • InorganicMatter, on 07/24/2008, -4/+7Oh no, please don't. I already have to maintain a Google and Windows Live ID, both of which try to be the "end all" ID systems.
  • dandonia, on 07/24/2008, -3/+6Open ID is a really bad idea - sure it's cool that you can use the same account detail accross multiple sites but it won't be long (read already started to happen) before hackers start putting fake login boxes that look like facebook credentials on their site. Then nieve people put their account details in and the hacker has their username and password. Most people use the same password and your username for facebook is your email address. This means hackers will likely have your email address and password -

    http://external.pureplay.com/face-app/referral/Ref ...

    For all I know that could be a legit site but how hard is it to fake these things.

    The hacker can then see what you are signed up to - Amazon, ebay etc all of which have your credit card details stored on your account - you see where I am going with this.

    Good idea in if everyone was honest - bad idea because they aint.
  • PhailQuail, on 07/24/2008, -1/+4Read the first 4 letters of OpenID.

    The only possibility OpenID will fail is because it would be replaced by a (still open-source) alternative.
  • Elranzer, on 07/25/2008, -0/+2Gator saved us all time, too...
  • RemoteSojourner, on 07/24/2008, -0/+2Google ID is an Open ID.
  • neFariou5, on 07/24/2008, -3/+5For people whining about security: OpenID is optional.
    For people complaining about lack of OpenID supported sites: Once Digg implements it and other big sites such as google all the small sites will jump aboard.
  • dbr_onix, on 07/24/2008, -0/+2Not really. I suppose it might mean more people are digging up articles instead of lurking around. Digg is hardly the pinnacle of intellectualism anyway..
  • RadicalEdward, on 07/24/2008, -1/+3Yes, because it's so organized and orderly here as is. :-/
  • ShaunO, on 07/24/2008, -0/+2Then run your own openid provider. Half the point of OpenID is that you *do* have that control.
  • MavRevMatt, on 07/24/2008, -0/+2If it was offered on more sites I visit I definitely would. Like you said, it's a great concept but the reason no one uses it is because the implementation is so limited right now.
  • inactive, on 07/24/2008, -0/+2What if your email account were to be compromised today? Think about all of those "Forgot your password?" links. OpenID is no less secure than that. Also, you can be your own OpenID provider if you so choose.
  • bastawhiz, on 07/24/2008, -0/+2OpenID is broken in that it's more difficult to use than a simple username/password box. With multiple screens to go through on signup, how is any average user supposed to understand that they need to be sent to a COMPLETELY different site so they can authenticate themselves against a different service that authenticates them with the site they were just on? From a usability standpoint, the average user has no reason to change their entire mental process for simply LOGGING IN so they can use some obscure technology that they ordinarily woundn't be required to use anyway.
  • maexus, on 07/24/2008, -0/+2It's not that hard to integrate into the site if your coders are any good and wrote code that is designed to be expandable.
  • Atomic1fire, on 07/24/2008, -0/+1You can auto fill OpenID as well as well if I remember right..
    OpenID is optional as many sites still allow signups as well as OpenID's
    Its just a nice option to avoid registering and if you want security on your account by putting your info with a service you trust such as with verisign or yahoo (maybe not aol considering that one search query leak but then again I seldom use aol search and I don't care that much)
  • Fetching more discussions...
    Show 51 - 89 of 89 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.