Discovery of an OpenID session at an OP
Peter Watkins
peterw at tux.org
Tue Dec 15 17:00:38 UTC 2009
On Tue, Dec 15, 2009 at 09:40:05AM +0100, Chris Obdam wrote:
> +1 For John :-)
Would you mind clarifying which points you're supporting?
John tells me I misread his post, that his intention was to say that
OPs could offer their users some control over this information.
I read it as the opposite. I read this as John saying that while OPs
could offer protection, such protection wouldn't be worthwhile because
there already exists this DOM/JS privacy flaw in current web browsers.
So could you please clarify whether you are saying you agree with John's
intended main point, that OPs could (should?) address this with a privacy
mechanism (in which case I'm curious whether you think the foundation and spec
should require or encourage such mechanisms) *or* whether you think the
DOM/JS flaw means OpenID shouldn't worry about user privacy?
Thank you.
-Peter
> Op 14 dec 2009, om 20:32 heeft John Panzer het volgende geschreven:
>
> > On Mon, Dec 14, 2009 at 11:21 AM, Peter Watkins <peterw at tux.org> wrote:
> > On Mon, Dec 14, 2009 at 09:48:54AM +0100, Chris Obdam wrote:
> >
> > > I think there a no real privacy issues with this idea? Ok, you know from this anonymous user that he or she has an OpenID with XXX, but is that a bad thing?
> >
> > Yes, it is a bad thing.
> >
> > 1) Privacy. I want to be in control of what information RPs have about
> > me. I see how you think it wouldn't be a big deal for someone to see that
> > I'm logged in to Google and Flickr -- what does that really say about me,
> > you think? Nothing, right? But imagine a group of ideologically simliar
> > groups deciding to implement RP+OP to make it easier for like-minded
> > individuals to use all their sites without relying on some mega-OP? I
> > don't want the data-hungry folks at Facebook noticing that I'm logged
> > in to the Greenpeace or National Rifle Association unless I explicitly
> > approve letting Facebook know that.
> >
> > The OP should be able to opt-in to whatever mechanism is set up. (Note that even today, you may be able to use visited-link color hacks to determine what OPs a user has recently frequented; statistically speaking you can already get the information you're worried about.)
> >
> >
> > 2) Security. A malicious site could more intelligently target victims
> > if it could ascertain what sites the victim is logged into. There's no
> > need to attempt some online Gmail exploit if the malicious RP can tell
> > that the victim isn't logged in to Google.
> >
> > Again, per above, I think this information is probably already available to evil.org, at least statistically speaking.
> >
> >
> > I would hope that
> >
> > A) OPs would give each user control over whether this discovery was enabled
> > for his account (and possibly to whom it was available).
> >
> > B) Any spec describing this would note that the OP SHOULD give each user
> > the ability to disable this feature for their account and that the default
> > for new users SHOULD be to not provide this information.
> >
> > BTW, this sounds a lot like what Luke Shepard of Facebook described wanting
> > to add to checkid_immediate:
> > http://www.sociallipstick.com/2009/04/?y%/lets-detect-logged-in-state/
> > http://lists.openid.net/pipermail/openid-general/2009-May/018232.html
More information about the specs
mailing list