Why is it dangerous to use an email address as an OpenID?

Question

Google uses email addresses as OpenID login strings for its provider service.

I was reading about a conference where they were pushing to have it incorporated into the standard. Microsoft was against this, the "official" reason being security vulnerabilities this would supposedly introduce. Is this bogus? If not, why is it insecure?

Answer 1

This goes against the minimal disclosure concept. Right now if an OpenID relying party wants your email address they ask for it and you are warned about this by the identity provider and asked to confirm it. Using the email address means it goes whether you like it or not unless you're using OpenID 2.0 which can generate unique values on a per relying party basis.

It would also be a big change for all the OpenID libraries - URLs are discoverable, you know where to go with them, email addresses are not, which was why there was outrage at Google unilaterally doing this and effectively forking the OpenID standard to suit themselves.

The other problem lies in phishing. OpenID is very vulnerable to this as users trust the relying party to redirect them to their provider after discovering it via the OpenID provided - so a "mischievous" relying party may redirect to a phishing site which saves the OpenID and the password. With Google the OpenID and password is your gmail account and password so you've not only lost control of your OpenID but your email account as well. Of course this could be secured by the provider - you could have separate email passwords and OpenID passwords, you could have a secret message on a per user basis you show on the OpenID login page, but as we're well aware users are stupid. They don't check URLs in the browser, they blindly click OK on dialog boxes, they simply don't think that a web page could be fake. By using the email address and the same password Google are exposing the majority of their users to an unacceptable risk.