Discovery of an OpenID session at an OP

Peter Watkins peterw at tux.org
Tue Dec 15 17:00:38 UTC 2009


On Tue, Dec 15, 2009 at 09:40:05AM +0100, Chris Obdam wrote:
> +1 For John :-)

Would you mind clarifying which points you're supporting?

John tells me I misread his post, that his intention was to say that
OPs could offer their users some control over this information.

I read it as the opposite. I read this as John saying that while OPs
could offer protection, such protection wouldn't be worthwhile because
there already exists this DOM/JS privacy flaw in current web browsers.

So could you please clarify whether you are saying you agree with John's
intended main point, that OPs could (should?) address this with a privacy 
mechanism (in which case I'm curious whether you think the foundation and spec
should require or encourage such mechanisms) *or* whether you think the
DOM/JS flaw means OpenID shouldn't worry about user privacy?

Thank you.

-Peter

> Op 14 dec 2009, om 20:32 heeft John Panzer het volgende geschreven:
> 
> > On Mon, Dec 14, 2009 at 11:21 AM, Peter Watkins <peterw at tux.org> wrote:
> > On Mon, Dec 14, 2009 at 09:48:54AM +0100, Chris Obdam wrote:
> > 
> > > I think there a no real privacy issues with this idea? Ok, you know from this anonymous user that he or she has an OpenID with XXX, but is that a bad thing?
> > 
> > Yes, it is a bad thing.
> > 
> > 1) Privacy. I want to be in control of what information RPs have about
> > me. I see how you think it wouldn't be a big deal for someone to see that
> > I'm logged in to Google and Flickr -- what does that really say about me,
> > you think? Nothing, right? But imagine a group of ideologically simliar
> > groups deciding to implement RP+OP to make it easier for like-minded
> > individuals to use all their sites without relying on some mega-OP? I
> > don't want the data-hungry folks at Facebook noticing that I'm logged
> > in to the Greenpeace or National Rifle Association unless I explicitly
> > approve letting Facebook know that.
> > 
> > The OP should be able to opt-in to whatever mechanism is set up.  (Note that even today, you may be able to use visited-link color hacks to determine what OPs a user has recently frequented; statistically speaking you can already get the information you're worried about.)  
> >  
> > 
> > 2) Security. A malicious site could more intelligently target victims
> > if it could ascertain what sites the victim is logged into. There's no
> > need to attempt some online Gmail exploit if the malicious RP can tell
> > that the victim isn't logged in to Google.
> > 
> > Again, per above, I think this information is probably already available to evil.org, at least statistically speaking.
> >  
> > 
> > I would hope that
> > 
> > A) OPs would give each user control over whether this discovery was enabled
> > for his account (and possibly to whom it was available).
> > 
> > B) Any spec describing this would note that the OP SHOULD give each user
> > the ability to disable this feature for their account and that the default
> > for new users SHOULD be to not provide this information.
> > 
> > BTW, this sounds a lot like what Luke Shepard of Facebook described wanting
> > to add to checkid_immediate:
> >  http://www.sociallipstick.com/2009/04/?y%/lets-detect-logged-in-state/
> >  http://lists.openid.net/pipermail/openid-general/2009-May/018232.html


More information about the specs mailing list