[OpenID] OpenID as an attack relay
Martin Foster
martin at ethereal-realms.org
Tue Mar 20 17:28:09 UTC 2007
Simon Willison wrote:
> On 3/20/07, Lukas Rosenstock <lukas.rosenstock at identity20.eu> wrote:
>> The example you have given could maybe prevented by not allowing query
>> parameters in an identity URL. Current identities look like
>> "username.provider.com" or "provider.com/username", in rare cases
>> "provider.com/users/username.htm", it would't hurt to make query
>> parameters invalid in an identity URL.
>
> That feels very strange to me. We're moving from "an OpenID is a URL"
> to "an OpenID is a URL that must conform to these specific
> guidelines".
>
> I agree that OpenID's that contain query strings are likely to be
> rare, but I'm also certain that someone could come up with an
> interesting use of OpenID in the future for which query strings were
> well suited.
It also does not prevent them from using delegate authority tags in the
returned page to send an OpenID session to do the same later on in the
process. This is probably just one of the fundamental issues with
allowing authentication against an unknown site.
One way is to restrict OpenID to known and trusted sites, where the
string would be completed by the server with the users providing only a
portion of the login. This is hardly optimal considering that the
flexibility is lost.
Throttling is what I put in, tracking the IP address and requests per
hour. Once limits are reached things slow or are ignored.
Martin Foster
Creator/Designer Ethereal Realms
martin at ethereal-realms.org
More information about the general
mailing list