Slashdot Mirror
LiveJournal Founder Launches OpenID System
geekdreams writes "Brad Fitzpatrick, the founder of LiveJournal, has launched OpenID, an 'actually distributed identity system' for websites that accept user comments. The system utilizes decentralized servers to authenticate users, and aims to replace centralized ID systems such as Microsoft's Passport and SixApart's TypeKey. The first implementation of OpenID can be seen on LiveJournal comments pages." Previously mentioned on Slashdot, now out of development.
Here are a few of my reasons:
The dangers of knowledge trigger emotional distress in human beings.
It's somewhat interesting that the founder of LiveJournal is competeing with SixApart, the new owner of LiveJournal unless I'm mistaken...
No, this is not obligatory. You chose to continue the trend...
*sigh* oh slashdot...
is still a dupe, especially when the note wasn't part of the actual submission
I am trolling
Universal hardware tokens. Please.
this further propagates the idea of centralized identity management. somewhat similar to MSN's Passport except the design is open. what this means to normal people is your identity can still be easily stolen if your identity-storing-place gets attacked. all it really benefits are people who make websites and log-in systems.
i for one will continue to use a different account with a different password for every service i use. go ahead and read my email, you'll never get into my workstation or my bank account.
The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website
I'd have thought the motivation was to limit the number of separate accounts you need. Having a billion accounts running around is a massive security nightmare. Either you're using the same password everywhere (and telling every web site owner your password) or you're wandering around with a notebook of thousands of passwords.
Firefox won't remember your password if the computer is a public terminal, or if you use multiple computers (e.g. at home and at work.)
No, this isn't the ultimate solution (which involves encryption, a portable very strong crypto key time-based challenge-response, and perhaps biometrics), but it could be a good half-measure.
I can hardly wait if/when systems like this become popular, to be forced to register an id like Martian5576567567 due to every other numerical possibillity haven been already taken, due to alot of sites using such a system, and people forgetting about passwords or old accounts and re-registering multiple times.
Also isnt there an issue if somone discovers your password, they can "pretend" to be you on any site including sites with sensitive information such as paypal and the like...
...but a questionable implementation. This is very utopic in nature (not having a centralized server storing everyone's data) but it doesn't feel feasible to just "trust" a decentralized architecture to hold/store my personal information without designing it from the ground up with security in mind.
Just my 2 cents...
--MaxPowerDJ
If it is like LiveJournal, I am sure lots of self obsessed people will want to use the ID system.
It seems to me that "Hey, you can actually go out and download X" is news, even when "Hey, I've got an idea for X" was already news.
And Centralized systems are inherently insecure because your single point of failure is your system. The whole thing can crumble if one mistake is made. You have to build in redundancy and round-robin DNS is simply not redundant for a very large scale.
There are many fun topologies out there like Decentralized Ring (ala Gnutella2; don't knock the design just because the inventor was controversial) which work around issues in simple systems such as Distributed or Centralized. Ultimately your application will decide what the best topology to use is. Authentication is debatable but i've always found it easier to deal with differing systems for different levels of trust in the authentication (for example, to get into your bank 3 levels of authentication would be more ideal than the username and password you use for your Blog, and neither system -needs- to have the same authentication system as the other).
Sites that let you enter your name/URL/email/etc and show it without verifying you're you are lame.
On the other:
Somebody could run their own identity server that says they're http://spammer.example.com/000001/ all the way to http://spammer.example.com/999999/ and that's not a goal of this system to prevent.
If anyone can run their own identity server, then why use this rather than a (probably more user-friendly) Captcha system?
I am in total agreement with you, but such a system would be a frequent target for identity theft attacks. Therefore such a system should have multiple biometric security measures, including fingerprints, DNA, retnal scans, and voice samples.
Such a system would be the foundation of a new set of services as well. For example, if all the citizens of the world would wear a GPS transmitting necklace or under-the-skin implant no one would ever be wrongly accused of a crime or be accidentally lost in the wilderness. With bio-scanning technology the government could ensure that you're vital signs were normal and if they became erratic they could send aid.
Only with a wonderful benevolent government like the United Nations can we ever begin to see the wonders of these technologies and rid ourselves of all the risks of the dangerous ideas of freedom and privacy.
We don't need single sign-on to fill in a few form fields for banking, ecommerce, or blogs. The risks-to-benefit ratio just never works out. Its a few fucking form fields for Christ's sake! And in the case of a blog, its 2 form fields! Remembering form field data is possibly a task for the client os/browser, it is not a task for an over-engineered back end, centralized or distributed. I might buy the argument that a owning a single ID across blogs might be nice, but you are not getting my password.
Something like this is simply DOA. Few content providers will take advantage of this because they have their own in house and/or have never heard of this guy or his company. If say, Yahoo was to do it, it'd take off like wildfire. But Yahoo's a perfect example... their one id system is and has been in place all throughout their growing universe of web content. As is, does the creator really think that people will be clamoring for one for a blogging site? c'mon... blogging is still quite the ego-centric niche.
11. Profit!!!
(Sorry, had to!)
Zhrodague.net - I do projects and stuff too.
Many blogs require you to register in order to be able to comment so that the person who runs them can control trollish behavior. This sort of system is good for letting people avoid having to register to be able to post on dozens of blogs.
Registration is mostly good for keeping away trolls who can't even take the time to learn their native dialect of English well enough to write a coherent and grammatically correct post. Sometimes it's horrifying to read the structure of such posts because you realize how far our schools have fallen. I've gotten ones that if I didn't have a college-level grasp of English, I'd have no idea what was being said.
As long as security is the first priority, this is a good thing. What I wonder though, is how secure this could really be without centralization. The appeal of SixApart's service is that SixApart is guarding it aggressively from being cracked... so who runs this service? I'm not sure how well you could trust a P2P system like this since you have no definitive authority to say "this user is who he/she says they are."
Click here or a puppy gets stomped!
And they will conveniently have a full and complete list of "nice people" for whatever re-education program the UN comes up with...
No thanks. I barely trust my government, and I vote for the suckers.
"Piter, too, is dead."
About openID
Sometimes i wonder
Why we don't have it shut
Closed ID seems smarter
Burma shave
Seriously all this jazz about the OpenID systems left right and centre from so many sources , yet non of them work , perhaps a new vector is required
The only things certain in war are Propaganda and Death. You can never be sure which is which though
Bahah!!! I didnt' vote for Bush! Either time! I only trust the governement when they are significantly different from corporations. Currently, the two are synonmous. Corporations are the primary evil and government is secondary unless coopted by corporations which they currently are. So you can't trust anyone. As far as individuals go, they're all corrupt. I don't trust you at all. And you shouldn't trust me. Only non-sentient frameworks are trustworthy. Machines are ultimately the most trustworthy as long as no humans are invovled. Learn about cubic time!! You are all singularity stupid!
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
On the http://openid.net/ page, it suggests that untrusted websites might popup a login dialog for your own trusted server. That would open a huge hole for man-in-the-middle attacks based on the various browser "url hiding" vulnerabilities. The fact that that behavior is suggested as canonical seems unwise.
So your first argument is that one of the components involved had a security problem? You'd better stop using the internet then, or maybe even your own CMS.
The end goal of this is much more grandiose. One thing that is both a strength and weakness of the Internet is anonymity. Blanket anonymity has no doubt been a plus for many people over the years, but it's now much more of a problem than it's worth. The Internet in general needs a way for the average user to present credentials to internet services that is automated, fast, and simple. This would be a building block for validation of web sites, e-mail messages, decentralized public key distribution, and a lot of other useful (and badly needed) services. Removal of blanket anonymity (but not elimination of all anonymity) will improve the signal to noise ratio of internet data by several orders of magnitude.
That's why that feature of firefox gets disabled by many corporations. It's very insecure. Other options for storing long, non memorable passwords include palm pilots, dedicated password PDAs, and such. They're clunky and sooner or later passwords will become too long to type in anyway. Being able to reference the place to *get* the user's password (along with their encryption settings, public key, etc) is actually more secure.
The Internet is by its nature much more interdependent than you know. It's impossible to do anything online without using at least a few dozen interlinked systems and standards. In general, keeping it simple is a good design rule but it tends to produce simple, monolithic system designs that are unsuited to Internet scale activities. For an example of a large scale distributed service that is as simple as possible on the Internet, check out the DNS design RFC.
This is an over-generalization. True that dependence on proprietary systems is generally bad because proprietary systems are usually not subject to the public evolutionary process applied to open standards, and therefore can have more problems. In general, simplicity triumphs over complexity when two ways of doing the same work are compared. Complexity wins out if a better (faster, easier) way of doing the work happens to be more complex.
I'm presuming you mean people could send e-mails saying "go to this URL". They can do that now. This would actually help with Phishing deterrence if users learned to only trust "verified" e-mail sender identities.
A big reason for me like this (and dislike it at the same time for security reasons) is that with a widely distributed system like this is will make it easier to keep track of who said what, even across multiple web sites. Each person would have the same name across many web sites, so those of us who are involved in multiple online communities can more easily keep track of people that share more than one common community with us. For example, I could identify Slashdot posts by people that go to the iDevGames forums like I do.
Forgive me if I'm being naive, but couldn't we have more or less open posting if whatever bulletin board system required a PGP encrypted post, and checked it against a central authority, or even several authorities?
Computers are useless. They can only give you answers.
-- Pablo Picasso
Actually, as near as I can tell it doesn't "prove" anything. Anyone who learns or knows the URL can pretend to be me on this or any other site. Especially if you're dumb enough to use the subdomain format shown. (e.g. brad.livejournal.com)
Without a private portion (password) it fails at authentication of identity, and devolves to just being "easy"...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
I for one welcome our new and trendy overlords.
There seems to be quite a proliferation of these services, eg. NoCatAuth, which is used in several projects.
Oh well, what the hell...
Are you kidding? Go try it.
Go try to convince an OpenID consumer that you're brad.livejournal.com.
The whole point of OpenID is that you *can't* use the URL just because you "learn" or "know" it. Do you really think they were just relying on no one else knowing your identity URL?
Unless you really DO own (or pwn) brad.livejournal.com, you won't be able to change its content. Part of the content is a tag specifying an OpenID server.
Brad will only put a tag in there pointing to a server that he knows won't allow anyone but him to use the identity. You can't change the tag. So how you propose to convince any site that you are him, just because you "know" his URL?
Did it ever occur to you, and those like you, that blogs and livejournals have given several hundred thousand Americans (just Americans alone) a new stake in online freedom of speech? The EFF now has a potential base of support from hundreds of thousands of bloggers who don't want the FCC and FEC telling them what they can and cannot say online. That means that online speech is now rapidly becoming a popular issue rather than a "geek issue."
And you want to know what ruins the net even more? Trolls. It doesn't matter where they are rearing their ugly heads, trolls do real damage to any discourse online. If a troll were to talk the way that most of them do in a bar, they'd probably be murdered by having a glass bottle smashed over their head and then get stabbed with the jagged edges. Yet there are tons of trolls out there, and you worry about someone writing a narcistic blog or LJ about their life for their friends? I've only seen a few of that type care if anyone outside their circle of friends and family reads their posts.
And you know what? What makes you think that your comments on slashdot are any different, in principle, from a blog post? How are tons of comments in this forum about natalie portman petrified, and all of the other trollish bullshit not destroying the net just as much? No my friend, the net is just beginning to look more and more like the "offline world."
Click here or a puppy gets stomped!
You just lack creativity.
Hey!! Don't throw your garbage down here!
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Providing you actually have a URL, this may be slightly better than the existing typekey technology. However, only 1 in 14 internet users has their own blog or website. The more options the better I suppose, but this is really an evolutionary step rather than a revolutionary one.
I am treading out in unknown terriroty here, but is it not possible to use some authentication mechanism on a central server, and verify it, u know like Kerberos/Passport/alternative? Or is open-id trying to do exactly that?
You're right! In his pages and pages of specs, he totally missed the attack of "just typing someone else's URL!" I wonder why he never thought of that!
Thank you for your thoughtful analysis.
A few days before the LiveJournal system came out I released something very similar (this is not sour grapes; they have very generously acknowledged my work) called mIDm. You can view it here: http://www.downes.ca/idme.htm
I was very pleased to see the LiveJournal system because it acknowledges what no system has done before: that identity belongs in the hands of the users.
This has two major aspects:
First, as argued over and over on the LiveJournal site, this is not an authentication system, it is an identification system. You are not being required to prove you are who you say you are, you are instead being given a mechanism to declare who you are.
It is, in purpose and intent, as secure - and no more secure - than filling out a web form. But the idea here is that you fill out the form just once, and then using a system of call-backs (to ensure your personal information isn't spoofed) you can use that information anywhere on the web.
Let me repeat that, in case you didn't get it: anywhere on the web.
The idea is, if you want, you can have the *same* identity on each of dozens of websites. Which means, say, if your email address changes, you change it once, and this information is now available (if you want it to be) to all of your accounts. Ditto your home page.
I will leave the many many applications - such as web-wide peprsonalized display, in-page messaging, multi-site social networking, and more - as an exercise to the reader.
Second, what it means is that the system is distributed. This means that there isn't some centralized grand poobah of identity (the way Passport tried to be, the way Sxip is trying to be). It means you can choose any system you want to host your identity or you can build your own.
Let me repeat that: you can build your own.
Don't like their security. Make yours tighter. Too much lag on LJ. Host it yourself. Want to send different emails to different types of site. Code it.
One of the mistakes made in previous system was in the use of a one-size fits all model, which meant that the level of security had to be at the highest possible - which is orders of magnitude more than someone needs merely to write blog posts and comments. Building a distributed system allows each person to decide how much - or how - security is appropriate.
Having made these two points, I would like to mention briefly where my system goes beyond LJ's. In their system, you are still typing your home URL at each site you visit. In mine, you don't ever have to type your home URL - it is stashed in the browser agent environment variable, where it can be picked up by any site that needs it. Oh I know, you probably shouldn't do that - but I've been testing this for months with no ill effects. YMMV, and if you have a better idea, I'm all ears.
Despite the naysayers here on Slash, this system - or something very like it - will become the norm on the internet very soon.
Why?
- Because it will be very simple to install for websites, especially after things like Drupal and Wordpress modules are built.
- Because it will be very simple for the user, because they just need to type one thing in (or extensions will be built for my type of system).
- Because it will work.
- because it will be no less safe, and probably more safe, than filling forms willy-nilly everywhere you go.
this sounds like the stuff XDI.org do. with i-names and so on...
no sig for you
Ok I'm sold! I already thought it was a good idea, but the best part is, if you are worried about the stability of an OpenID server [and want your personal URL] it is convenient even if you don't have the ability to run your own OpenID server! You can just DELEGATE! Enter your personal URL, but it will do the actual identification from whatever OpenID server you point it to [say livejournal]. That way, if LJ [or your chosen OpenID server] goes away, you simply change your delegation to point to another OpenID server [where you will need an account of course], but you will still have your own URL as your identity. You don't have to change it just because your OpenID server doesn't exist anymore. Very nice!
Nothing to see here
What if we took this idea a step further and added a form of authentication, namely, signing of messages?
Here's what I have in mind, please point out any flaws in my logic:
- I log into livejournal.com using my id, "hisham".
- I post a message at foo.com using my OpenID, hisham@livejournal.com.
- foo.com sets a cookie in my browser, and issues a request to livejournal.com, with the cookie and the message.
- livejournal.com receives the request, verifies the cookie (confirming that the request from foo.com was posted by a browser who's actually currently logged as hisham in livejournal).
- livejournal.com then signs the message and sends the signature back to foo.com.
- foo.com posts the message saying that hisham@livejournal.com posted it, with the signature in the end (or most likely, accessible through a link).
- If anybody wants to verify if the message is legit, they can copy-paste the message and the signature and check it in a verification form in livejournal.com.
The system is still fully decentralized (anyone can host their own "OpenAuth" servers) and you only need to trust one of the sites (the signer), not both as in OpenID (though "trust" in the sense of OpenID means just identification, not authentication -- and I'm fine with it since that's its purpose).Off the top of my head, the only two potential issues I see are:
- the signer server would see everything you posted anywhere -- but anyway, Google see all my emails... if this is a concern, host your own server;
- the load on the servers -- would this be a big problem? most sites could use lighter, less CPU-intensive cryptography... again, if this is a concern, host your own server with 1024-bit crypto.
What do you people think? Could something like this work??The filesystem is the package manager
Which is the problem. It doesn't need to be your URL.
My current comments stand, with a couple of exceptions. First, it appears that you have to "authorize" a site. Second, you have to be logged in.
Given those two conditions, it appears I could easily impersonate someone on a site they frequent if they have a session running AND if I know (from their sig, perhaps) their URL/domain.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
1. Say your home URL is www.slashdot.org/~shmlco. You log into slashdot.org, and slashdot gives you a cookie as it always does. This is how slashdot verifies you are logged in.
2. You go to randomblog.com. You want to post a comment as shmlco from slashdot. So you give randomblog.com your URL, www.slashdot.org/~shmlco.
3. randomblog.com establishes a shared secret with slashdot.org cryptograhically, if it has not done so already.
4. randomblog.com sends your browser to whatever authentication URL is specified in the link tag of your site, for example: <link rel="openid.server" href="http://www.slashdot.org/openid-validate.cgi
5. Your browser hits www.slashdot.org/openid-validate.cgi, which can validate that you are logged into www.slashdot.org (just like any slashdot page can), based on your cookies.
6. If you are logged in, slashdot.org signs a certificate saying so, using the shared secret as a key, and redirects you to someblog.com with the signed certificate as one of the parameters.
7. someblog.com decrypts the certificate, and therefore knows that your browser is signed into slashdot.org.
As you can see, your proposed attack could not work, because you don't have the victim's cookies in your browser, nor do you have the shared secret you would need to fabricate a certificate.
I mean really, don't you think that someone who took the time to write a detailed spec would think of obvious attacks like the one you propose?
Problems with OpenIDI put off reading the OpenID spec because I though it was probably flawed. Now I just feel applying my head to my desk.
OpenID is led by with this philosophy:
The above is taken from a discussion of vulnerabilities. The problem with this lowest common denominator approach is that it's horribly broken. OpenID is currently no better than just giving the URL of your blog.
The number one problem is the complete lack of integrity checking. Everything in OpenID seems to be perfectly happy to let their requests be modified in transit. I think the problem with this are pretty damn obvious: nothing can be trusted. Fortunately, fixing this is pretty simple: use TLS. In today's shared hosting environment, you probably want to require support for server name indication.
Another brilliant idea: transmit the key that you'll use for signing later in plaintext.
I believe "limited in some way" means "completely insecure." "Dumb mode" is not safe because there's no key associated with the server, so there's no way to ensure you're talking to the same one or that someone isn't tampering.
/>
I also don't see much point in using a symmetric key for speed and security when you're just encrypting a short string. It's so tiny that both improvements are similarly small.
Perhaps the biggest problem with OpenID is it's reliance on sending a user to another page to login. It's just too easy to spoof a page and fool most people. Even better, you can open a window using Javascript and hide the location bar. Even if you normally use TLS, most people probably won't notice if it's missing or the certificate is different. Also, most sites (including LiveJournal) include a completely insecure assurance that you're secure. For example, LiveJournal says "LiveJournal Secure Site "
A simpler and more secure alternativeThe only way to fix this is (gasp) get users to carry their own keys. If you stored your key in a bookmarklet or extension, you could sign something with it. This is completely feasible because Javascript cryptography implementation is done. You could submit your public key with the signed comment. If you wanted to associate yourself with a URL, all you need to do is link to a page with the public key. If the same public key can be used for the signature.. That's right, no special identity server is needed. The public key could be submitted directly or it can be linked to. It might be a pain to write out the entire URL to the key, so perhaps autodiscovery-from-HTML should be supported:
<link rel="openpgp.key" href="http://www.livejournal.com/pubkey.bml?user=a trustheotaku"
Note that no TLS is needed. The signature is secure in and of itself. If you want to support all the fanciness (e.g. revocation) of OpenPGP (spec), then you just need the
So one could almost say that it's like a passport that allows you to "log on" to lots of different sites...
thanks for your efforts and endorsement! I love this idea!
One sollution would be the iButton
Harald
How does this prevent me from saying I'm, for example, the previous user that posted a comment? He has his server set to trust the site I am posting on, and I'm using his name, so shouldn't the server accept my comment, since it doesn't know who's posting? I know this is not supposed an authentication scheme, but an identification scheme where everyone can claim to be anyone else isn't that good, IMO.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
A new scheme for this is actually pointless, because it just reinvents an existing wheel and does so far less effectively than before.
That previously invented wheel is PGP keys.
They were created for a different purpose, but they already contain a string that can be used as a legible identifier (which commonly contains a URL or email address), and they are trivially checked, and they are vastly more proven and secure as a means of trusted identification, and they already operate through a distributed system of public keyservers, and there is already a huge web of trust built around them, and of course OpenPGP and GnuPG are already fully free and open systems.
So why reinvent a wheel, and badly? Use PGP keys for login recognition, and any security concerns just evaporate.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
There is a cookie.
Well first of all, ShatteredDreams mentioned LiveJournal. Take a look at the typical LJ and you will see that it matches the sterotype given to it very well. LJ's are not the pinnacle of individual expression. Sorry. I'm sure there are a few "good" ones there, but they do not represent a majority that ShatteredDreams thinks he can count on to "save the net".
Blogs in general are not very good sources of high quality information or discussion. I'll stick to my favorite professors, writers, and other authors over the vast majority of the blogs out there.
Because of the cookie the openid server makes sure is set, so that you're logged in as the name you're giving to a site to leave a comment on. ;)
Ah, I see now, I must have missed that in the spec, thanks. :)
Send email from the afterlife! Write your e-will at Dead Man's Switch.