dumb clients a risk?

Zefiro work at zefiro.de
Wed Oct 5 17:05:44 PDT 2005 

Hi, List

My biggest (most important) question is a theoretical one and deserves an separate mail/subject. I may have missed something and
I sure hope I have. So please point it out to me :)

OpenID is about identity. So at least this must be proved: "Does this claimed identity (URL) belong to this user?" (short form
of "Does the user logged in to your site own this URL, and do they allow the trust_root (and therefore the return_to URL) to
know that?"). A Consumer must be sure about at least this, or else this doesn't make much sense.

So I will usually assume that the consumer and the server are both servers 'in the internet' (good secured hosts in maintained
locations without normal user interaction, aka not dial up / dsl home clients or university campus areas with lotsa students in
it), so they both and their connection to each other as well as their nameservers are under normal circumstances considered to
be trustworthy. However, I assume the opposite for the User-Agent and perhaps the claimed identity. While a MitM on the
User-Agent would lead to the same consequences with OpenID than with normal unencrypted password login, a malicious user must
not gain more possibilities with OpenID.

Ok, what am I talking about? -> Dumb clients.

If I understand this correctly, smart clients establish a connection to the identity server itself, agreeing on a shared secret.
Dumb clients don't. Now assuming a malicious end user can control their user agent to go to a identity server of their choice,
instead of the one the consumer thinks the user is going to, and they have their own identity server set up which validates
whatever identity they want to have - which should be possible, since in the identity there is no shared secret with the server
- then they could log in to any dumb mode client with any identity they want. Because, again as far as I understood the scheme,
the dumb client completely relies on anything the client provides it with.

I wasn't able to test this, since I wasn't able to get the PHP identity server to run. But changing the Location: header is
quite easy to do for the end user, no change to the browser needed, just a little perl proxy script. So I consider this a high
risk.

Now please soothe me that I made a miskate in my reasoning somewhere :)

*purrrr*

More information about the yadis mailing list