OpenID to LID Proxy

Martin Atkins mart at degeneration.co.uk
Thu May 26 10:35:36 PDT 2005 

I've created an OpenID to LID proxy which lets anyone with a LID server 
running log into an OpenID site -- in theory, at least.

In order to use it, the user must list his OpenID identity server URL as:
http://goathack.livejournal.org:9016/lidoid
...with a transformation of the LID URL concatenated on the end.

For example, the LID demo user would be:
<http://goathack.livejournal.org:9016/lidoid/lid.netmesh.org/liddemouser/>
or, for an SSL site:
<http://goathack.livejournal.org:9016/lidoid/s/lid.netmesh.org/liddemouser/>

The way I've been testing it is to put an HTML document at some dumb URL 
referencing that URL and logging in as the demo user. The details are here:
     <http:/lid.netmesh.org/liddemouser/>

Remember that since the demo user's details are well known, you're 
essentially giving whatever URL you use to everyone.

Of course, you don't trust my proxy as it might lie about you or even 
exploit LID's XSS holes to steal your current LID session. In practice 
you would run it yourself on your own server:
    <http://goathack.livejournal.org:9016/lidoid.txt>

AJAX logins don't work. I'm not sure what I'm doing wrong, so if someone 
could let me know I'd appreciate it. I'm obviously not understanding the 
mechanics of the AJAX logins.

--------------

However, the most important part of this message follows:
* WARNING! * WARNING! * WARNING! * WARNING! * WARNING! *

I think there's a glaring security hole in this thing right now, but I'm 
having trouble getting my head around it to figure out if it's there or 
not. I'd appreciate a second opinion.

If I control a LID server I can respond with any OpenID Identity I want. 
If I return one that doesn't reference the OpenID proxy then key 
verification will fail as you'd expect. However, if some other person 
has an identity which references the same proxy with a *different* LID 
URL then I can impersonate him because there is nothing specific to the 
ID server URL in the signature, and the proxy always uses the same key.

Obviously the proxy should really be maintaining some kind of state 
rather than just trusting what the LID server says, but maybe I'm 
missing something which means that this isn't such a big deal after all?

I plan to shortly implement proper request tickets anyway, so this isn't 
a major deal. However, if I'm right and this is a problem please don't 
use this proxy on any URL you wouldn't want compromised!

More information about the yadis mailing list