Dumb mode question

Brad Fitzpatrick brad at danga.com
Sat Jul 2 21:46:35 PDT 2005

But openid.sig includes return_to.  Which is why consumers should check
the return_to value in id_res is actually theirs.

- Brad

On Sun, 3 Jul 2005, meepbear * wrote:

> Maybe I'm missing something totally obvious but what's keeping someone who
> runs a consumer from using dumb mode on other consumers to impersonate users
> that IDed to the consumer they're running?
> John IDs to a consumer that Jack runs which is set to purposefully pass the
> server an invalid handle on checkid_immediate. The server will set
> invalidate_handle on mode == id_res, issue a new handle and the consumer is
> expected to drop back to dumb mode and issue a POST check_immediate.
> Couldn't Jack now go to any other site and just copy/paste (of course make
> the path point to the other consumer and not his own) the GET request with
> mode == id_res to trick that other consumer into thinking it made a valid
> request but the server lost the handle and it's supposed to fallback to dumb
> mode?
> But as far as I can tell, the server has no way of knowing whether
> check_authentication is coming from the right consumer or not. It's a POST
> so it can't rely on return_to. It can't authenticate the user either since
> the consumer is making the request.
> It will rebuild the token and compare the HMAC hash to openid.sig but
> they'll match since it's valid data from Jack's consumer. It returns a valid
> assertion and now any other consumer will believe that Jack is John?

More information about the yadis mailing list