简体繁体 English

OpenID身份URL是敏感信息吗？

[英]Are OpenID Identity URLs sensitive information?

原文 2010-07-08 01:33:44 7 2 security/ openid

Are OpenID Identity URLs considered sensitive information? OpenID身份URL是否被视为敏感信息？ For example, is it safe to store plain text OpenID Identity URLs in a DB or whatnot? 例如，将纯文本OpenID身份URL存储在数据库中是否安全？

I can't think of any reason that you shouldn't... but damn am I good at being wrong sometimes! 我想不出你不应该这样做的任何理由......但是我该擅长做错了！

2 个解决方案

In my opinion, it should be considered secret. 在我看来，它应该被视为秘密。 It's safe to store in DB's as plain text, but I wouldn't go around displaying people's OpenID's for anyone to view. 将数据库存储为纯文本是安全的，但我不会随意显示人们的OpenID以供任何人查看。 There are numerous reasons, some being: 原因很多，有些是：

It's not neccessary 这不是必要的
It (combined with the password) is the key to a lot of doors; 它（与密码相结合）是许多门的关键; thus it looks quite juicy to an attacker 因此，攻击者看起来非常多汁
On individual websites you can customise your identity; 在个别网站上，您可以自定义您的身份; if the OpenID is public on each of these, it would be possible to gather information about somebody who has tried to maintain independance on various sites 如果OpenID在每个上面公开，那么就有可能收集有关试图在各个站点保持独立性的人的信息

It's not critical that it remains private, however, hence the extra effort to hash (and salt/etc) it is not really neccessary. 然而，它保持私有并不重要，因此哈希（和盐/等）的额外努力并非真正必要。 It just creates another place to maintain a bit of complexity, and an area that could go wrong. 它只是创造了另一个地方来保持一点复杂性，以及一个可能出错的区域。 That said, if I saw it done, I wouldn't really be upset about it. 也就是说，如果我看到它完成了，我真的不会为此感到沮丧。

Certainly, I think it is wrong to consider an OpenID as a public bit of information. 当然，我认为将OpenID视为公共信息是错误的。

The OpenID is, basically, the User Name portion of a login. OpenID基本上是登录的用户名部分。 You don't need to treat it with any more security that you would any other UserID. 您不需要使用任何其他UserID的安全性来处理它。