6

I currently have one OpenID that I use from a provider, it's something like:

http://www.example.com/miffthefox/

However, I want to be able to type the address of my personal website instead of the OpenID, yet still be able to use example.com as the OpenID provider. It seems I can do this via OpenID delegation, by adding the right meta tags to my personal home page, I can redirect it to my OpenID provider.

However, since my personal home page is public, I'm worried about other users visiting my site and grabbing my OpenID. Is this something I should be worried about?

MiffTheFox
  • 3,362
  • 8
  • 31
  • 37
  • 2
    It gives people just one more piece of the puzzle to hack you. I wouldn't: http://www.codinghorror.com/blog/archives/001262.html – hyperslug Oct 05 '09 at 20:16
  • 1
    @hyperslug, you wouldn't? but you advertise your email in your profile. It can be hacked the same way. – John T Oct 06 '09 at 00:05
  • 1
    @John, it depends on what's being protected by that OpenID. One's bank might be protected by SSL, yet it's unwise to post your login id + bank. – hyperslug Oct 06 '09 at 09:04
  • someone can grab your openid details if they got access to your email. – John T Oct 06 '09 at 10:40
  • 1
    @John, that's true, so I also wouldn't advocate exposing an email address connected to your OpenID, which the one in my profile isn't. – hyperslug Oct 06 '09 at 16:42

2 Answers2

6

Just ensure your OpenID has a secure password. It's as secure as anything else over https that's password protected.

John T
  • 163,373
  • 27
  • 341
  • 348
3

Someone looking at the code of your site could then figure out that MiffTheFox uses that OpenID server. So what? You tell every web site you log into that anyway. The actual OpenID verification, as John T. says, is protected by SSL.

CarlF
  • 8,846
  • 3
  • 24
  • 40
  • 3
    Exactly. Everyone advertises their email all over the web, it's only protected by a password as well. – John T Oct 05 '09 at 21:40