Slashdot Mirror
LiveJournal Founder Launches OpenID System
geekdreams writes "Brad Fitzpatrick, the founder of LiveJournal, has launched OpenID, an 'actually distributed identity system' for websites that accept user comments. The system utilizes decentralized servers to authenticate users, and aims to replace centralized ID systems such as Microsoft's Passport and SixApart's TypeKey. The first implementation of OpenID can be seen on LiveJournal comments pages." Previously mentioned on Slashdot, now out of development.
step 11. profit!
Just as an aside, the XML-RPC vulnerability was based on items in the PHP community, and not in the module used within Perl. Danga and the LiveJournal team have been working with XML-RPC for quite some time, and they tend to be nazis about the security of their implementation.
- oZ
// i am here.
Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.
Not really.. if you aren't remembering passwords, you're pretty much out of luck when you go to another terminal, or forget to backup your firefox directory and lose your data.
Maybe this type of system isn't for you, but I can definitely see some use for it.
Also, just because something is complicated doesn't mean it'll eventually get exploited. Things can be complex, yet well thought out and secure.
Universal hardware tokens. Please.
The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website
I'd have thought the motivation was to limit the number of separate accounts you need. Having a billion accounts running around is a massive security nightmare. Either you're using the same password everywhere (and telling every web site owner your password) or you're wandering around with a notebook of thousands of passwords.
Firefox won't remember your password if the computer is a public terminal, or if you use multiple computers (e.g. at home and at work.)
No, this isn't the ultimate solution (which involves encryption, a portable very strong crypto key time-based challenge-response, and perhaps biometrics), but it could be a good half-measure.
I can hardly wait if/when systems like this become popular, to be forced to register an id like Martian5576567567 due to every other numerical possibillity haven been already taken, due to alot of sites using such a system, and people forgetting about passwords or old accounts and re-registering multiple times.
Also isnt there an issue if somone discovers your password, they can "pretend" to be you on any site including sites with sensitive information such as paypal and the like...
and his comments about spam and trust lead one to believe that these are area's SixApart's service could fill.
2 I think the motivation for this service is skewed. The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website... etc. People already have their own methods to achieve this kind of simplicity in their lives.
3 Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.
One of the things I hate about internet is precisely this. Face it, how do you feel when some links in slashdot to a "register for free!" kind of link? I also hate when I go to a blog or a online forum and I'm forced to register, wait for email, login, etc. Most of the time I give up - this thing would fix those problems.
For 2, it does get to be a pain when you are signed up to 20 or 30+ forums. Example? these days, a lot of software support and bug reporting facilities are on a forum. It's a bit of waste of time if you have to sign up just to make a couple posts.
I'm not saying that we need more services like the one in the article, but it would be nice to have some sort of simple way to fix this.
For myself, i don't think it's the fact of having to spend "5 seconds" logging into different sites. I think it's more so the fact of the number of different passwords/usernames i have in use on different forums. For the most part, i try to use the same username/password on most forums, but sometimes my username is taken, or something like that, then i have to try and remember what the username is, etc. I like the idea of this, and hope to use it in the future.
tourettes
If it is like LiveJournal, I am sure lots of self obsessed people will want to use the ID system.
5 Seconds? Where did you get that benchmark?
I'm a CMS designer,
Ah, that explains it.
If I'm on a computer I trust, I might allow it to save my password. If I run accross a forum that requires a login, I'm more than likely not going to take the time to create a login, just so I can participate. Why? because I've never seen one that only takes 5 seconds. Most send emails, which add considerably more time and pain (I gave up using POP email when I changed my email for the 10th time (@home failed, to be exact).
Not that his solution is perfect and that all of you points are not valid. Just that its not such a bad plan at its core.
My other car is a Popemobile
Of course, when I find/steal your wallet, with the tattered but legible cheat-sheet with all your IDs and passwords written down, 'cause you can't keep all fifty of them in your head, I'll bankrupt you in 24 hours.
Generally, bash is superior to python in those environments where python is not installed.
Sites that let you enter your name/URL/email/etc and show it without verifying you're you are lame.
On the other:
Somebody could run their own identity server that says they're http://spammer.example.com/000001/ all the way to http://spammer.example.com/999999/ and that's not a goal of this system to prevent.
If anyone can run their own identity server, then why use this rather than a (probably more user-friendly) Captcha system?
First of all, look at the reason this was created. There are hundreds of livejournal clones out there, and a lot of them run the livejournal software (deadjournal, blurty, etc.). I'm not going to create a new journal on each one of those sites just so I can view the friends-only posts of my friends on those sites, and especially not just so I can comment. This provides a way to link all of those sites together, and it does it openly, in a way that sites that don't use LJ's software can use.
Secondly, addressing your remember passwords comment, it's a complete waste of resources for the system for these users, who just may want to leave a comment, to force them to sign up for an account. Why not just let them provide a reference URL which represents them, and let that server verify that the provided URL is the user's?
Many of your points were simply "This is complex", or "This requires relying on more systems", and conclude that it's bad. Firstly, I think 'rely' is the wrong word for this. You're using these other systems, yes, but if these other systems go down, it doesn't stop you from doing anything. It's similar, though not a perfect analogy, to saying that having more IRC servers in a given network is bad because you're relying on more servers.
Also, imagine the advantages this gives when designing around this system. Forums which are really only for one topic, such as an official forum for a specific piece of software, don't even need to store any user or password information (and therefore don't have any sensitive data). The forum can simply store the OpenID URL for the admins and allow anyone who can verify with that URL do all of the admin work.
It's the first step to providing a true roaming profile, and single sign-on for the web, and it's done in an open manner. I think it's a step in the right direction.
I am in total agreement with you, but such a system would be a frequent target for identity theft attacks. Therefore such a system should have multiple biometric security measures, including fingerprints, DNA, retnal scans, and voice samples.
Such a system would be the foundation of a new set of services as well. For example, if all the citizens of the world would wear a GPS transmitting necklace or under-the-skin implant no one would ever be wrongly accused of a crime or be accidentally lost in the wilderness. With bio-scanning technology the government could ensure that you're vital signs were normal and if they became erratic they could send aid.
Only with a wonderful benevolent government like the United Nations can we ever begin to see the wonders of these technologies and rid ourselves of all the risks of the dangerous ideas of freedom and privacy.
Telcos have alot of dark fibre in the States. Most people assume that's optical fibre...but it's actually moral fibre.
Many blogs require you to register in order to be able to comment so that the person who runs them can control trollish behavior. This sort of system is good for letting people avoid having to register to be able to post on dozens of blogs.
Registration is mostly good for keeping away trolls who can't even take the time to learn their native dialect of English well enough to write a coherent and grammatically correct post. Sometimes it's horrifying to read the structure of such posts because you realize how far our schools have fallen. I've gotten ones that if I didn't have a college-level grasp of English, I'd have no idea what was being said.
As long as security is the first priority, this is a good thing. What I wonder though, is how secure this could really be without centralization. The appeal of SixApart's service is that SixApart is guarding it aggressively from being cracked... so who runs this service? I'm not sure how well you could trust a P2P system like this since you have no definitive authority to say "this user is who he/she says they are."
Click here or a puppy gets stomped!
One of the things I hate about internet is precisely this. Face it, how do you feel when some links in slashdot to a "register for free!" kind of link? I also hate when I go to a blog or a online forum and I'm forced to register, wait for email, login, etc. Most of the time I give up - this thing would fix those problems.
On the surface you might think that this thing would fix those problems but I highly doubt that it will change anything.
Think about it: If the New York Times wouldn't adopt Microsoft's Passport solution do you really think that they are going to adopt this solution by a (in their eyes) virtual nobody? If something with the backing of the largest software company in the World couldn't take off then I don't hold out much hope for this except perhaps for some blogs here and there -- but that hardly solves the NYT problem.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
About openID
Sometimes i wonder
Why we don't have it shut
Closed ID seems smarter
Burma shave
Seriously all this jazz about the OpenID systems left right and centre from so many sources , yet non of them work , perhaps a new vector is required
The only things certain in war are Propaganda and Death. You can never be sure which is which though
On the http://openid.net/ page, it suggests that untrusted websites might popup a login dialog for your own trusted server. That would open a huge hole for man-in-the-middle attacks based on the various browser "url hiding" vulnerabilities. The fact that that behavior is suggested as canonical seems unwise.
So your first argument is that one of the components involved had a security problem? You'd better stop using the internet then, or maybe even your own CMS.
The end goal of this is much more grandiose. One thing that is both a strength and weakness of the Internet is anonymity. Blanket anonymity has no doubt been a plus for many people over the years, but it's now much more of a problem than it's worth. The Internet in general needs a way for the average user to present credentials to internet services that is automated, fast, and simple. This would be a building block for validation of web sites, e-mail messages, decentralized public key distribution, and a lot of other useful (and badly needed) services. Removal of blanket anonymity (but not elimination of all anonymity) will improve the signal to noise ratio of internet data by several orders of magnitude.
That's why that feature of firefox gets disabled by many corporations. It's very insecure. Other options for storing long, non memorable passwords include palm pilots, dedicated password PDAs, and such. They're clunky and sooner or later passwords will become too long to type in anyway. Being able to reference the place to *get* the user's password (along with their encryption settings, public key, etc) is actually more secure.
The Internet is by its nature much more interdependent than you know. It's impossible to do anything online without using at least a few dozen interlinked systems and standards. In general, keeping it simple is a good design rule but it tends to produce simple, monolithic system designs that are unsuited to Internet scale activities. For an example of a large scale distributed service that is as simple as possible on the Internet, check out the DNS design RFC.
This is an over-generalization. True that dependence on proprietary systems is generally bad because proprietary systems are usually not subject to the public evolutionary process applied to open standards, and therefore can have more problems. In general, simplicity triumphs over complexity when two ways of doing the same work are compared. Complexity wins out if a better (faster, easier) way of doing the work happens to be more complex.
I'm presuming you mean people could send e-mails saying "go to this URL". They can do that now. This would actually help with Phishing deterrence if users learned to only trust "verified" e-mail sender identities.
Did you even read any of the linked materials? No part of the OpenID system stores your personal details. The only thing OpenID does is allow you to prove that you own a URL. There is no such thing as an 'OpenID profile'--an OpenID producer and consumer just don't exchange that kind of information.
And if you read the specs, I think you will see that OpenID is designed from the ground up with security in mind.
A big reason for me like this (and dislike it at the same time for security reasons) is that with a widely distributed system like this is will make it easier to keep track of who said what, even across multiple web sites. Each person would have the same name across many web sites, so those of us who are involved in multiple online communities can more easily keep track of people that share more than one common community with us. For example, I could identify Slashdot posts by people that go to the iDevGames forums like I do.
No one liked Passport so that's why it didn't get used. This is a different idea which has a slim, but possible, chance of success.. even on large sites.
Actually, as near as I can tell it doesn't "prove" anything. Anyone who learns or knows the URL can pretend to be me on this or any other site. Especially if you're dumb enough to use the subdomain format shown. (e.g. brad.livejournal.com)
Without a private portion (password) it fails at authentication of identity, and devolves to just being "easy"...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
You're right! In his pages and pages of specs, he totally missed the attack of "just typing someone else's URL!" I wonder why he never thought of that!
Thank you for your thoughtful analysis.
That is precisely what OpenID isn't. They mentioned that there's no profile exchange.. OpenID just makes sure that shakrai@slashdot.org is that person. Doesn't say anything ABOUT that person.
.. OpenID is not meant for this.
They wanted ot keep the protocol simple and easy. Another layer can be added on top of it, later on, for profile exchange.. but they specifically avoided doing it in this version.
The problem with profile exchange is, it's hard to maintain. Once you give them information, they can keep it. If you only give them an OpenID, that's all they know about you, unless you give them more. Which most sites will probably ask for anyway. I'm sure the NYTimes wants you to login for demographics, not because they want to verify that you are who you say you are before you read a story. They have no way of knowing anything about shakrai@slashdot.org, besides what you visit. But if you make an account there, they have your name, address, age, gender, etc. AND what you visit at their site
A few days before the LiveJournal system came out I released something very similar (this is not sour grapes; they have very generously acknowledged my work) called mIDm. You can view it here: http://www.downes.ca/idme.htm
I was very pleased to see the LiveJournal system because it acknowledges what no system has done before: that identity belongs in the hands of the users.
This has two major aspects:
First, as argued over and over on the LiveJournal site, this is not an authentication system, it is an identification system. You are not being required to prove you are who you say you are, you are instead being given a mechanism to declare who you are.
It is, in purpose and intent, as secure - and no more secure - than filling out a web form. But the idea here is that you fill out the form just once, and then using a system of call-backs (to ensure your personal information isn't spoofed) you can use that information anywhere on the web.
Let me repeat that, in case you didn't get it: anywhere on the web.
The idea is, if you want, you can have the *same* identity on each of dozens of websites. Which means, say, if your email address changes, you change it once, and this information is now available (if you want it to be) to all of your accounts. Ditto your home page.
I will leave the many many applications - such as web-wide peprsonalized display, in-page messaging, multi-site social networking, and more - as an exercise to the reader.
Second, what it means is that the system is distributed. This means that there isn't some centralized grand poobah of identity (the way Passport tried to be, the way Sxip is trying to be). It means you can choose any system you want to host your identity or you can build your own.
Let me repeat that: you can build your own.
Don't like their security. Make yours tighter. Too much lag on LJ. Host it yourself. Want to send different emails to different types of site. Code it.
One of the mistakes made in previous system was in the use of a one-size fits all model, which meant that the level of security had to be at the highest possible - which is orders of magnitude more than someone needs merely to write blog posts and comments. Building a distributed system allows each person to decide how much - or how - security is appropriate.
Having made these two points, I would like to mention briefly where my system goes beyond LJ's. In their system, you are still typing your home URL at each site you visit. In mine, you don't ever have to type your home URL - it is stashed in the browser agent environment variable, where it can be picked up by any site that needs it. Oh I know, you probably shouldn't do that - but I've been testing this for months with no ill effects. YMMV, and if you have a better idea, I'm all ears.
Despite the naysayers here on Slash, this system - or something very like it - will become the norm on the internet very soon.
Why?
- Because it will be very simple to install for websites, especially after things like Drupal and Wordpress modules are built.
- Because it will be very simple for the user, because they just need to type one thing in (or extensions will be built for my type of system).
- Because it will work.
- because it will be no less safe, and probably more safe, than filling forms willy-nilly everywhere you go.
What if we took this idea a step further and added a form of authentication, namely, signing of messages?
Here's what I have in mind, please point out any flaws in my logic:
- I log into livejournal.com using my id, "hisham".
- I post a message at foo.com using my OpenID, hisham@livejournal.com.
- foo.com sets a cookie in my browser, and issues a request to livejournal.com, with the cookie and the message.
- livejournal.com receives the request, verifies the cookie (confirming that the request from foo.com was posted by a browser who's actually currently logged as hisham in livejournal).
- livejournal.com then signs the message and sends the signature back to foo.com.
- foo.com posts the message saying that hisham@livejournal.com posted it, with the signature in the end (or most likely, accessible through a link).
- If anybody wants to verify if the message is legit, they can copy-paste the message and the signature and check it in a verification form in livejournal.com.
The system is still fully decentralized (anyone can host their own "OpenAuth" servers) and you only need to trust one of the sites (the signer), not both as in OpenID (though "trust" in the sense of OpenID means just identification, not authentication -- and I'm fine with it since that's its purpose).Off the top of my head, the only two potential issues I see are:
- the signer server would see everything you posted anywhere -- but anyway, Google see all my emails... if this is a concern, host your own server;
- the load on the servers -- would this be a big problem? most sites could use lighter, less CPU-intensive cryptography... again, if this is a concern, host your own server with 1024-bit crypto.
What do you people think? Could something like this work??The filesystem is the package manager
1. Say your home URL is www.slashdot.org/~shmlco. You log into slashdot.org, and slashdot gives you a cookie as it always does. This is how slashdot verifies you are logged in.
2. You go to randomblog.com. You want to post a comment as shmlco from slashdot. So you give randomblog.com your URL, www.slashdot.org/~shmlco.
3. randomblog.com establishes a shared secret with slashdot.org cryptograhically, if it has not done so already.
4. randomblog.com sends your browser to whatever authentication URL is specified in the link tag of your site, for example: <link rel="openid.server" href="http://www.slashdot.org/openid-validate.cgi
5. Your browser hits www.slashdot.org/openid-validate.cgi, which can validate that you are logged into www.slashdot.org (just like any slashdot page can), based on your cookies.
6. If you are logged in, slashdot.org signs a certificate saying so, using the shared secret as a key, and redirects you to someblog.com with the signed certificate as one of the parameters.
7. someblog.com decrypts the certificate, and therefore knows that your browser is signed into slashdot.org.
As you can see, your proposed attack could not work, because you don't have the victim's cookies in your browser, nor do you have the shared secret you would need to fabricate a certificate.
I mean really, don't you think that someone who took the time to write a detailed spec would think of obvious attacks like the one you propose?
Problems with OpenIDI put off reading the OpenID spec because I though it was probably flawed. Now I just feel applying my head to my desk.
OpenID is led by with this philosophy:
The above is taken from a discussion of vulnerabilities. The problem with this lowest common denominator approach is that it's horribly broken. OpenID is currently no better than just giving the URL of your blog.
The number one problem is the complete lack of integrity checking. Everything in OpenID seems to be perfectly happy to let their requests be modified in transit. I think the problem with this are pretty damn obvious: nothing can be trusted. Fortunately, fixing this is pretty simple: use TLS. In today's shared hosting environment, you probably want to require support for server name indication.
Another brilliant idea: transmit the key that you'll use for signing later in plaintext.
I believe "limited in some way" means "completely insecure." "Dumb mode" is not safe because there's no key associated with the server, so there's no way to ensure you're talking to the same one or that someone isn't tampering.
/>
I also don't see much point in using a symmetric key for speed and security when you're just encrypting a short string. It's so tiny that both improvements are similarly small.
Perhaps the biggest problem with OpenID is it's reliance on sending a user to another page to login. It's just too easy to spoof a page and fool most people. Even better, you can open a window using Javascript and hide the location bar. Even if you normally use TLS, most people probably won't notice if it's missing or the certificate is different. Also, most sites (including LiveJournal) include a completely insecure assurance that you're secure. For example, LiveJournal says "LiveJournal Secure Site "
A simpler and more secure alternativeThe only way to fix this is (gasp) get users to carry their own keys. If you stored your key in a bookmarklet or extension, you could sign something with it. This is completely feasible because Javascript cryptography implementation is done. You could submit your public key with the signed comment. If you wanted to associate yourself with a URL, all you need to do is link to a page with the public key. If the same public key can be used for the signature.. That's right, no special identity server is needed. The public key could be submitted directly or it can be linked to. It might be a pain to write out the entire URL to the key, so perhaps autodiscovery-from-HTML should be supported:
<link rel="openpgp.key" href="http://www.livejournal.com/pubkey.bml?user=a trustheotaku"
Note that no TLS is needed. The signature is secure in and of itself. If you want to support all the fanciness (e.g. revocation) of OpenPGP (spec), then you just need the