[OpenID] Yahoo hijacking?

Allen Tom atom at yahoo-inc.com
Sat Apr 19 01:50:01 UTC 2008 

1) The user does NOT want to sign into the site specified by the return_to
2) We don't know that the authentication request originated from that site
3) The OpenID 2.0 spec does not require OPs to send a negative assertion.

So why would we want to send the user there?

Allen

Max Metral wrote:
> This all sounds perfect, so in that case I would assume you could
> confidently send them back to the return_url.
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Allen Tom
> Sent: Friday, April 18, 2008 9:40 PM
> To: SitG Admin; general at openid.net
> Subject: Re: [OpenID] Yahoo hijacking?
>
> The HTTP Referrer header, just like all other HTTP headers, can never be
>
> trusted.
>
> Currently, the Yahoo OP does not consider the client's HTTP Referrer 
> header when servicing OpenID Authentication requests.
>
> Yahoo does try to verify that the return_to matches the realm by 
> performing Yadis discovery on the realm in the request. If the return_to
>
> does not match the XRDS doc that we found through discovery, we'll 
> display a really ugly warning that the RP cannot verified.
>
> This realm discovery feature was added  to patch a security hole in 
> OpenID 1.1, and is one of the main reasons why Yahoo does not support 
> OpenID 1. More details here:
>
> http://openid.net/pipermail/security/2007-February/000241.html
>
> Allen
>
>
>
> SitG Admin wrote:
>   
>>> And where should we send the user? The openid.return_to value is not
>>> necessarily the referrer,
>>>       
>> Quick question - what if the user is blocking the referer? Using a 
>> privacy/anonymizing plugin, etcetera? At that point the 
>> openid.return_to value is practically *guaranteed* not to match the 
>> referer. Is the user losing any security by blocking the referer?
>>
>> -Shade
>>     
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080418/f3ace5a3/attachment-0002.htm>

More information about the general mailing list