Dumb mode question

meepbear * meepbear at hotmail.com
Sat Jul 2 22:02:11 PDT 2005

I just tried setting up my consumer that way and IDed to my livejournal with 
an invalid handle on checkid_immediate.
I then went to the consumer on openid.net and replaced the id_res result 
that it got back from livejournal.com with the result my consumer got back 
and the openid.net consumer succesfully IDed me so it is a problem.

It's easily fixed by requiring that the consumer either verifies that the 
return_to it receives as part of id_res is valid and not pointing to some 
other site. Or by ignoring the return_to the server gives it and plugging it 
in itself when it falls back to dumb mode.

With livejournal it's currently hard to exploit since valid ID assertions 
are only valid for 1 minute so that gives anyone a rather small window to 
act in, but it's my understanding that most other servers would set this to 
a much larger value?

Maybe at the server side, the new assoc_handle for dumb mode should have an 
expiration of 1 minute or less by default? That way the server is protected 
to some degree even if the consumer isn't making sure it doesn't forward 
data it didn't check.

More information about the yadis mailing list