Dumb mode question

Brad Fitzpatrick brad at danga.com
Sat Jul 2 22:04:46 PDT 2005


On Sun, 3 Jul 2005, meepbear * wrote:

> I just tried setting up my consumer that way and IDed to my livejournal with
> an invalid handle on checkid_immediate.
> I then went to the consumer on openid.net and replaced the id_res result
> that it got back from livejournal.com with the result my consumer got back
> and the openid.net consumer succesfully IDed me so it is a problem.

Problem with my implementation, not the protocol.

See the code on CPAN:  it has a FIXME already in there for this.


>
> It's easily fixed by requiring that the consumer either verifies that the
> return_to it receives as part of id_res is valid and not pointing to some
> other site. Or by ignoring the return_to the server gives it and plugging it
> in itself when it falls back to dumb mode.
>
> With livejournal it's currently hard to exploit since valid ID assertions
> are only valid for 1 minute so that gives anyone a rather small window to
> act in, but it's my understanding that most other servers would set this to
> a much larger value?
>
> Maybe at the server side, the new assoc_handle for dumb mode should have an
> expiration of 1 minute or less by default? That way the server is protected
> to some degree even if the consumer isn't making sure it doesn't forward
> data it didn't check.
>
>
>


More information about the yadis mailing list