[OpenID] Automating the user's selection of OP

Chris Messina chris.messina at gmail.com
Mon Apr 20 20:50:45 UTC 2009


On Mon, Apr 20, 2009 at 1:10 PM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:

> User agents don't let you make cross-site HTTP calls however, which may
>> block the implementation of your idea.
>>
>
> They don't? I thought that was why XSS attacks (literally, "cross-site
> scripting") were so dangerous; but then, since you don't need scripts
> enabled (just images would do) for that, I may be conflating two meanings of
> "scripting". Depending on what content at OP's is restricted, and *how* it
> gets restricted, a script may not need to examine HTTP Response headers - if
> it could just look at whether a requested image was returned at all, or the
> size of that image?
>
> Or, if OP's were to set up a special URL for allied RP's to test whether
> users were logged in - but no matter what can be achieved through
> cooperation that way, which OP's would *want* to mitigate OpenID's privacy
> by letting arbitrary sites (whoever sent the users similar scripts) check
> which supporting OP's the user was currently logged into (if not what their
> account name was), and easily transmit that data back to the RP?


This is how Facebook Connect works. XSS can be very useful; in and of
themselves, they're not intrinsically evil, but abusing this feature of
browsers/servers leads to bad things.

The problem with your proposal is that the RP would need to have a unique
cross-domain script that talks to N number of OPs, which is tractable but
not terribly efficient. It also adds an extra burden on the OPs and can
additionally lead to an inconsistent or "squishy" user experience — where,
depending on local system settings (and whether the user is on their
personal computer or on a shared terminal, like in an Apple store), the
positive hints you receive about logged in OPs may be misleading or
downright wrong.

This is why the CSS history detection trick [1][2][3] is so brittle — it
depends a current browser behavior that can change in its effectiveness
depending on how often a user clears their history, uses non-personal
computers or works across several different devices.



>
>  Didn't you mention (or discuss on a thread) sometime back the idea of
>> emitting links to OPs using javascript, then sniffing whether they were
>> "visited" links or not in order to see which OPs the user has been to and
>> thereby guess which OPs are most effective to display to the user?
>>
>
> I don't think so, though this does seem to be another instance of "attack"
> techniques (I do recall reading about it; there's a Firefox addon addressing
> the risk) being used for "good".
>

Luke Shepard wrote about this idea recently:

http://www.sociallipstick.com/2009/04/15/lets-detect-logged-in-state/


>
> We've all had a lot of ideas, but they tend to get lost among the older
> threads. I'm of a mind to embark on a project to index all these ideas so we
> can easily find them later on, when we need them or are just interested.


I'd be thrilled if you'd take this on using OpenID wiki!
http://wiki.openid.net!

Alternatively, you could submit them to ideas.openid.net.

Thanks,

Chris

[1] http://www.azarask.in/blog/post/socialhistoryjs/
[2] http://www.niallkennedy.com/blog/2008/02/browser-history-sniff.html
[3] http://www.niallkennedy.com/blog/2006/03/automatic-favor.html



>
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
Chris Messina
Citizen-Participant &
 Open Web Advocate

factoryjoe.com // diso-project.org // vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090420/48c4936c/attachment.htm>


More information about the general mailing list