Journal Security Report: Thanks to Christian Mainka and Vladislav Mladenov 1
You may have noticed that OpenID is no longer a login option on Slashdot. (You can still login or create an account directly, or in conjunction with an existing social media account at Twitter, Facebook, etc.) Why not? In large part, because of a valuable warning we received about a possible security flaw in our OpenID login system from two researchers (Christian Mainka and Vladislav Mladenov) from Ruhr University Bochum.
This and other security concerns with OpenID (here's one relevant story), as well as the fact that relatively few readers have preferred OpenID to other login methods, mean that we're unlikely to re-add OpenID as a login method. Security here trumps the additional convenience.
The code that runs Slashdot, like all software, contains code that might be exploited. We always appreciate readers who provide useful feedback on Slashdot, and even more so when readers (ethically!) identify potential security holes. By "ethically," we mean that actually exploiting any security holes, or probing our systems, burdening the servers, engaging in a DDoS just to test things out, doesn't count. Spotting a problem and letting us know does, and we value that contribution highly.
A special thanks go out to Vladislav and Christian. We greatly appreciate their efforts and patience, as we do all readers who pass along suggestions, concerns, or ideas for the site. When readers find and diligently report possible security flaws, we're very grateful for their generosity in doing so.
----------
Spot a security problem on Slashdot? We'd like to give you credit on our security attribution page for helping to protect everyone in the community. Send us email, to feedback@slashdot.org, and include as much detail as you can; screenshots, proof-of-concept code, and details about affected platforms are all useful and appreciated.
Leanhvan123 (Score:1)