[OpenID] OpenID as an attack relay

Martin Foster martin at ethereal-realms.org
Tue Mar 20 17:28:09 UTC 2007


Simon Willison wrote:
> On 3/20/07, Lukas Rosenstock <lukas.rosenstock at identity20.eu> wrote:
>> The example you have given could maybe prevented by not allowing query
>> parameters in an identity URL. Current identities look like
>> "username.provider.com" or "provider.com/username", in rare cases
>> "provider.com/users/username.htm", it would't hurt to make query
>> parameters invalid in an identity URL.
> 
> That feels very strange to me. We're moving from "an OpenID is a URL"
> to "an OpenID is a URL that must conform to these specific
> guidelines".
> 
> I agree that OpenID's that contain query strings are likely to be
> rare, but I'm also certain that someone could come up with an
> interesting use of OpenID in the future for which query strings were
> well suited.

It also does not prevent them from using delegate authority tags in the 
returned page to send an OpenID session to do the same later on in the 
process.  This is probably just one of the fundamental issues with 
allowing authentication against an unknown site.

One way is to restrict OpenID to known and trusted sites, where the 
string would be completed by the server with the users providing only a 
portion of the login.    This is hardly optimal considering that the 
flexibility is lost.

Throttling is what I put in, tracking the IP address and requests per 
hour.  Once limits are reached things slow or are ignored.

	Martin Foster
	Creator/Designer Ethereal Realms
	martin at ethereal-realms.org



More information about the general mailing list