[security] Open Redirector issue with checkid_immediate

[Brandon Ramirez]

Use of the referrer header is a terrible idea.  No good can come from it,
except for statistical purposes or usability purposes.  Security-wise, it's
unreliable.

Here is just one example why:
http://support.microsoft.com/kb/178066

To be fair, OP's shouldn't be HTTP, but only HTTPS, but nevertheless, this
goes to show how one should not trust its presence or accuracy.

And true, a good browser *may* prevent it from being altered via scripting,
but that doesn't mean that they all do or always will.  Don't trust the
client.

- Brandon

On Tue, Jun 9, 2009 at 1:45 PM, David Recordon <david at sixapart.com> wrote:

> We actually just use Google for this, via URLs like
> http://www.google.com/url?sa=D&q=http%3A%2F%2Fseleniumhq.org%2F.
>
> --David
>
>
> On Jun 8, 2009, at 10:00 PM, Allen Tom wrote:
>
>  SitG Admin wrote:
>>
>>>
>>> It could also detect people who are browsing through proxies (or modified
>>> browsers) to strip the referer information for their privacy.
>>>
>>>  Many organizations run proxies to strip the referrer from outgoing
>> requests because of privacy issues.
>>
>> Also, checking that the referrer's domain  matches the return_to could be
>> problematic for RPs that run multiple domains, but have a centralized OpenID
>> RP service. Another problematic scenario is where the RP integrates with a
>> 3rd party to implement OpenID authentication, such as Janrain's RPX or
>> Google Friend Connect.
>>
>> Allen
>>
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090614/699f31a9/attachment.htm>