FAQ

• How do I edit the list of sites I've granted/denied access to?
• How does GetOpenID ensure my identity's security?
• Where is my password stored?
• Is the behind-the-scenes communication between servers secure?
• Does the basic (non-SSL) OpenID protocol use any encryption?

• Project wishlist

How do I edit the list of sites I've granted access to?

The ability to edit "always allowed" sites is coming soon. Due to popular demand, we've added it to our project wishlist.

What about the list of sites I've denied access to?

GetOpenID does not maintain such a list, so you won't have a problem accessing any service previously selected as "do not allow." Selecting "do not allow" merely cancels the signon request.

How does GetOpenID ensure my identity's security?

GetOpenID uses SSL for the password entry form, so the biggest weakness would be a genuinely weak password. Helping the user create a good password is high on our project wishlist.

Our formal analysis of the OpenID protocol indicates that the main weakness is the consumer site (the site you sign onto) fetching the page hosted at the identity URL. Exploiting this weakness would involve forging an identity URL page so it appears to point to a rogue OpenID server that would falsely verify identity. The real risk is mitigated by how the page gets fetched, usually from one Internet backbone facility to another. It would be hard to spoof the page without internal access to such a facility.

Nevertheless, GetOpenID closes even that weakness. If you use the SSL address for your OpenID page (https://getopenid.com/identity), no one can forge your identity page because the document is digitally signed by Four Kitchen Studios with a certificate from a trusted root authority. This is the same mechanism that major online resellers use to protect your credit card.

Where is my password stored?

Passwords are stored as "salted hashes" in our database. Using a salted hash means even a full download of our database wouldn't allow someone to discover your password or even which people use the same password. This is why we can't send you your password—only reset it. It's nearly impossible for even us to figure out your password from our database. (We say near impossible because it would take at least thousands of years on a modern supercomputing cluster.)

Is the behind-the-scenes communication between servers secure?

The short answer: sometimes.

Here's the long one: OpenID consumer sites (the sites you sign onto) can verify your credentials against OpenID servers with varying levels of certainty. Even the lowest level still uses a second verification request against the server. You'll have to read the OpenID spec for details.

Also, one site using an insecure method cannot compromise your identity at other sites. OpenID Consumer sites also never get your password. All they get is a "thumbs up" from the OpenID server. That makes OpenID safer than using the same password at multiple websites.

Does the basic (non-SSL) OpenID protocol use any encryption?

This depends on what part of the protocol is in effect. Some things are entirely at the site's discretion and not part of the protocol, like how you sign on to the OpenID server. Other parts, while specified by OpenID, still give the OpenID Consumer sites a choice of security levels. This server supports every level of security.

Rest assured that the central integrity of your account is protected by SSL at GetOpenID.com, and we offer OpenID Consumers the ability to verify your OpenID at at the very highest level (SSL + RSA-key-based associations). The worst that can happen is one poorly run OpenID Consumer site allows others to use your identity on that site.