[OpenID] Yahoo hijacking?
Max Metral
max at artsalliancelabs.com
Sat Apr 19 01:42:47 UTC 2008
This all sounds perfect, so in that case I would assume you could
confidently send them back to the return_url.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Allen Tom
Sent: Friday, April 18, 2008 9:40 PM
To: SitG Admin; general at openid.net
Subject: Re: [OpenID] Yahoo hijacking?
The HTTP Referrer header, just like all other HTTP headers, can never be
trusted.
Currently, the Yahoo OP does not consider the client's HTTP Referrer
header when servicing OpenID Authentication requests.
Yahoo does try to verify that the return_to matches the realm by
performing Yadis discovery on the realm in the request. If the return_to
does not match the XRDS doc that we found through discovery, we'll
display a really ugly warning that the RP cannot verified.
This realm discovery feature was added to patch a security hole in
OpenID 1.1, and is one of the main reasons why Yahoo does not support
OpenID 1. More details here:
http://openid.net/pipermail/security/2007-February/000241.html
Allen
SitG Admin wrote:
>> And where should we send the user? The openid.return_to value is not
>> necessarily the referrer,
>
> Quick question - what if the user is blocking the referer? Using a
> privacy/anonymizing plugin, etcetera? At that point the
> openid.return_to value is practically *guaranteed* not to match the
> referer. Is the user losing any security by blocking the referer?
>
> -Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list