A Comparison of OpenID Providers

There is this very interesting comparison of different OpenID providers. What was really interesting is how few (according to the author) do not support HTTPS for all aspect of the authentication. Not using HTTPS for the entire site can lead to session hijacking vulnerability. If a malicious user can hijack the authentication session at the IdP, then he can impersonate the user at all relying parties the user has registered that OpenID identity with.

On a related note there was this announcement about ClaimID.com now supporting HTTPS. I would have assumed that it already did.

(Mirrored from TalkBMC)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s