[OpenID] Yahoo hijacking?

Max Metral max at artsalliancelabs.com
Sat Apr 19 00:16:38 UTC 2008 

I think we have to tread extremely carefully here.  At some point, if
OpenID is lucky, the benefits to using it will so far outweigh the
problems (e.g. if the RP is down, if the RP hijacks the traffic, if the
value of the membership is diminished because I don't get the strong
brand affiliation, etc) that no one would think of rolling their own.
But if, right now, I have the choice between a standard that has only
partial major player adoption and even less end-user awareness AND has a
non-negligible opportunity of completely losing a user, it ain't
happening.

In a former life, I designed Microsoft Passport.  I shudder to think
what would have happened had we gone out to potential partners and said,
"oh, and if the user decides after I ask them whether they are sure they
want to send their credentials to a site that they'd like to think about
it some more I will take them to MSN and offer internet access, or a
free blog, or a community site, or whatever other product that probably
overlaps with some of what you were offering them in the first place".
I imagine I'd get a call from some DOJ lackey.

Now I know that I'm overstating the real problem right now, but it's a
trajectory thing.  In the Yahoo case, the words say "I do not want to
login" with a back arrow.  That should not take me to www.yahoo.com.

--Max

-----Original Message-----
From: Peter Watkins [mailto:peterw at tux.org] 
Sent: Friday, April 18, 2008 7:48 PM
To: SitG Admin
Cc: Max Metral; general at openid.net
Subject: Re: [OpenID] Yahoo hijacking?

On Fri, Apr 18, 2008 at 04:38:46PM -0700, SitG Admin wrote:
> >if I go to Yahoo for an OpenID login, and then change my mind and 
> >say "I do not want to login", they take me to 
> ><http://www.yahoo.com>www.yahoo.com!!!
> 
> Side question - if they used CSRF to have you request (via GET) the 
> appropriate page from the Relying Party, would that be acceptable? Is 
> it sufficient to have the user notify the RP that nothing further 
> will be happening, or should the user visit the site normally to 
> continue further interactions, and at least have the chance to 
> receive further info directly from the site?

I think it'd be good if the spec allowed the RP to ask the IdP to
send users back to a specific URL if the user declined to authenticate.
I also think it'd be fine for IdP's to not send the user back to that
"Decline URL" -- the user should be able to use their Back Arrow to
return to the RP site.

Shade -- how could a URL be both "appropriate" and CSRF?

There are some CRSF-like concerns with OpenID, to be sure (e.g., an IdP
should *always* present some sort of confirmation interface to the user
to prevent an RP from "fishing" for OpenID identities[0]), but I don't
understand your concern here.

-Peter

[0] It'd be fine for an IdP to offer choices like "don't bother asking
for confirmations when I log in to ACME.example.com in the future".

More information about the general mailing list