Dumb mode question
meepbear at hotmail.com
Sat Jul 2 22:02:11 PDT 2005
I just tried setting up my consumer that way and IDed to my livejournal with
an invalid handle on checkid_immediate.
I then went to the consumer on openid.net and replaced the id_res result
that it got back from livejournal.com with the result my consumer got back
and the openid.net consumer succesfully IDed me so it is a problem.
It's easily fixed by requiring that the consumer either verifies that the
return_to it receives as part of id_res is valid and not pointing to some
other site. Or by ignoring the return_to the server gives it and plugging it
in itself when it falls back to dumb mode.
With livejournal it's currently hard to exploit since valid ID assertions
are only valid for 1 minute so that gives anyone a rather small window to
act in, but it's my understanding that most other servers would set this to
a much larger value?
Maybe at the server side, the new assoc_handle for dumb mode should have an
expiration of 1 minute or less by default? That way the server is protected
to some degree even if the consumer isn't making sure it doesn't forward
data it didn't check.
More information about the yadis