Skip to Content

Be careful who offers you an OpenID

First of all, let me say that I think OpenID as a technology is good, and useful, and *can* be secure. However, I just need to sound a brief note of caution – it’s nothing too major, but there is a privacy issue, and it depends on who your OpenID provider is.

The problem with OpenID from a privacy point of view is this: every single OpenID authentication request incurs a redirect to your OpenID provider, which is informed of the website you are trying to access. If it’s you running your own OpenID provider or using one from a trusted partner, that’s no problem. However, have you wondered why Yahoo, Myspace, Facebook, and all those other services are promoting OpenID and offering to be your free OpenID provider if you have an account with them? It’s not quite as altruistic as it looks. Essentially, by using your Facebook-enabled OpenID you are providing a log of every single OpenID-enabled site you visit to Facebook – in other words, you’re giving them your browsing history on a plate. This is, of course, extremely valuable to the sort of organisation that does advertising for a living, and is therefore a very good reason why you should run your own OpenID provider.

In summary, the only *safe* OpenID to use, if you value your privacy, is one run by yourself or by a trusted partner. The next best option might be an OpenID run by your employer – at least that way you know who’s following you.

You must be Logged on to comment or reply to a post.
  • The privacy concerns with OpenID providers aren’t much different than with web-based email providers.  Every time I register on a new site I’m confirming that account through a gmail address, so it’s not like the sites I visit are a complete secret anyways.  In one way or another, email providers know this information too, whether it is by scraping email content to serve ads or for some other reason buried deep in their user agreements.

    And, much like they will do with OpenID, some people choose to host their own email provider on their own personal domain to avoid these exact same privacy concerns.

    • Sorry to disagree – it’s not the same.

      Even if you are using a dishonest email provider (who is inspecting your mails) he will only get to know which new site you might have registered – but he will not get to know how often you are accessing that site.

      And well, nothing is for free – that’s why it’s better to pay for services, sometimes.

      Otherwise you force the service provider to look for other sources of income.

      Talking of account registration and emails: better check how easy it is for an attacker to hijack your mailbox – once he succeeds, he can hijack all your other accounts as well (using the “forgotten password” feature) and might go shopping with your credit card.