[OpenID] Automating the user's selection of OP

SitG Admin sysadmin at shadowsinthegarden.com
Mon Apr 20 20:10:12 UTC 2009


>User agents don't let you make cross-site HTTP calls however, which 
>may block the implementation of your idea.

They don't? I thought that was why XSS attacks (literally, 
"cross-site scripting") were so dangerous; but then, since you don't 
need scripts enabled (just images would do) for that, I may be 
conflating two meanings of "scripting". Depending on what content at 
OP's is restricted, and *how* it gets restricted, a script may not 
need to examine HTTP Response headers - if it could just look at 
whether a requested image was returned at all, or the size of that 
image?

Or, if OP's were to set up a special URL for allied RP's to test 
whether users were logged in - but no matter what can be achieved 
through cooperation that way, which OP's would *want* to mitigate 
OpenID's privacy by letting arbitrary sites (whoever sent the users 
similar scripts) check which supporting OP's the user was currently 
logged into (if not what their account name was), and easily transmit 
that data back to the RP?

>Don't let me stop you from trying, but I just will be surprised if 
>it will work.

I'm queasy about the idea now. Much like using XSS "for a good 
cause", I don't want to encourage users to rely on insecurity for 
their conveniences. It was just a thought; let's work on selectors a 
bit longer, make sure we do it right.

>Didn't you mention (or discuss on a thread) sometime back the idea 
>of emitting links to OPs using javascript, then sniffing whether 
>they were "visited" links or not in order to see which OPs the user 
>has been to and thereby guess which OPs are most effective to 
>display to the user?

I don't think so, though this does seem to be another instance of 
"attack" techniques (I do recall reading about it; there's a Firefox 
addon addressing the risk) being used for "good".

We've all had a lot of ideas, but they tend to get lost among the 
older threads. I'm of a mind to embark on a project to index all 
these ideas so we can easily find them later on, when we need them or 
are just interested.

-Shade



More information about the general mailing list