[xauth] Identity Correlation Concern
15 views
Skip to first unread message
Nat Sakimura
Apr 21, 2010, 10:35:24 AM4/21/10
to xa...@googlegroups.com
I have a concern.
Would it not allow sites to correlate a user without user's consent?
Or is there some protection against it?
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
--
You received this message because you are subscribed to the xAuth group.
To post, send email to xa...@googlegroups.com
To unsubscribe from this group, send email to
xauth+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/xauth?hl=en
Would it not allow sites to correlate a user without user's consent?
Or is there some protection against it?
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
--
You received this message because you are subscribed to the xAuth group.
To post, send email to xa...@googlegroups.com
To unsubscribe from this group, send email to
xauth+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/xauth?hl=en
Chris Messina
Apr 21, 2010, 1:10:12 PM4/21/10
to xa...@googlegroups.com
Well, it would be able to potentially fingerprint a user, but there are already probably more accurate and effective means to achieve that.
With XAuth you can opt-out by visiting xauth.org and configuring your preferences — either completely turning off XAuth, or blocking certain sites.
If XAuth is not a reliable resource that can be queried for a user's preferred services, people may end up just finding other, less transparent means of correlating identifiers, etc.
But — it is a valid concern, one that can be addressed by opting out completely from the service.
Chris
--
Chris Messina
Open Web Advocate, Google
Web: http://factoryjoe.com
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina
This email is: [ ] shareable [X] ask first [ ] private
Chris Messina
Open Web Advocate, Google
Web: http://factoryjoe.com
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina
This email is: [ ] shareable [X] ask first [ ] private
Rabbit
Apr 21, 2010, 2:05:00 PM4/21/10
to xa...@googlegroups.com
In theory, services could improve upon their own portion of the transparency by providing a simple interface for managing visibility.
Example user preferences page:
-------
(o) Always remember me; this is not a shared computer.
( ) Allow all sites to know I have a ServiceX account
(o) Allow only some sites to know I have a ServiceX account (list one per line):
* Learn more about this feature including how to disable for all sites. (xauth.org link)
( ) Do not store session data for this computer.
---------
Any other data carried by the token could also be communicated.
=Rabbit
John Bradley
Apr 21, 2010, 3:55:42 PM4/21/10
to xa...@googlegroups.com
It is true, as I understand it any site the user visits could store a unique identifier that other sites can retrieve for correlating activity of the user across sites.
I suspect some will see that as a feature.
I think that the problem will be the user is forced to manually create a black list of sites that they don't want using this cross domain service, or disable Xauth.org completely.
I can also see that there is nothing to stop add networks and others from using the same browser feature to track users without Xauth.org.
If that becomes a problem I can see people looking for ways to block this new form of cross domain cookie entirely in there browsers.
I give the people who are working on this full credit. This is a clever way to create a pseudo smart client via JS in the browser rather than requiring a plugin.
I do think that searching for tokens by protocol is an important feature. Without that it will disadvantage the small players.
XAuth will need appropriate oversight of the extenders, so that people are comfortable not blocking it.
I can see this used with some sort of XRD publishing service, however I would not want to see a correlatable identifier being disclosed to all RP by default.
This can be a useful tool but it also has perils.
It may be that XAuth.org can over time develop more of the user control features of a smart client, and be seen as privacy protecting.
It is still too early to tell how it will play out.
John B.
Sam Johnston
Apr 21, 2010, 2:40:34 PM4/21/10
to xa...@googlegroups.com
On 21 April 2010 20:05, Rabbit <rab...@cyberpunkrock.com> wrote:
Any other data carried by the token could also be communicated.
This sounds a lot like Flash "cookies" - I'm all for binary "do you have an account or not" type questions but if we're doing more than that then we want to think long and hard about the potential implications.
Would a simple structure like this not meet the requirements for which Xauth was originally intended?
Conversely, what would we lose by adopting a relatively simple format that gives binary answers only?
Sam
Nat Sakimura
Apr 21, 2010, 5:41:03 PM4/21/10
to xa...@googlegroups.com
Indeed, if xauth.org's script are constructed in such a way that it
only allows simple lists like Sam wrote, it would have less correlatability and
actually gives users ways to protect their privacy while making the life
easier by not being exposed to 100s of icons. Then, instead of black-listing
things, a user can whitelist xauth.org, which is a much simpler things to do.
Thoughts?
=nat
only allows simple lists like Sam wrote, it would have less correlatability and
actually gives users ways to protect their privacy while making the life
easier by not being exposed to 100s of icons. Then, instead of black-listing
things, a user can whitelist xauth.org, which is a much simpler things to do.
Thoughts?
=nat
Rabbit
Apr 26, 2010, 8:48:54 PM4/26/10
to xAuth
I would like to hear from the leads about this because I am operating
under the assumption that the token would be used to retrieve
additional information from the source. For example, retrieving
"ABC123" token from "provider.com", pulling up "http://
provider.com/.well-known/host-meta", finding a relevant URI template
"http://provider.com/myapp?token={token}" then sending the user to
"http://provider.com/myapp?token=ABC123" as part of some other user-
centric protocol.
Again, this is all an assumption. Would love to hear an official word
on this.
Aside from the intentions of the spec authors, it is still possible to
embed highly sensitive data in the token and there are many different
ways this can already happen even without XAuth. At least having this
sort of data exchange handled in the light of day there can be a best
practice put forward so that applications can be built without
resorting to negative patterns (ie: password anti-pattern).
=Rabbit
> Nat Sakimura (=nat)http://www.sakimura.org/en/http://twitter.com/_nat_en
under the assumption that the token would be used to retrieve
additional information from the source. For example, retrieving
"ABC123" token from "provider.com", pulling up "http://
provider.com/.well-known/host-meta", finding a relevant URI template
"http://provider.com/myapp?token={token}" then sending the user to
"http://provider.com/myapp?token=ABC123" as part of some other user-
centric protocol.
Again, this is all an assumption. Would love to hear an official word
on this.
Aside from the intentions of the spec authors, it is still possible to
embed highly sensitive data in the token and there are many different
ways this can already happen even without XAuth. At least having this
sort of data exchange handled in the light of day there can be a best
practice put forward so that applications can be built without
resorting to negative patterns (ie: password anti-pattern).
=Rabbit
Chris Messina
Apr 26, 2010, 10:02:12 PM4/26/10
to xa...@googlegroups.com
Currently the tokens can contain any kind of information — which may simply indicate the presence of an active session with the provider, or may contain much more information.
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina
This email is: [ ] shareable [X] ask first [ ] private
It is up to each individual provider to determine what kind and amount of information they wish to include in the token. So far most providers only include a basic amount of information.
In the case where host-meta is supported, it might be possible to query a provider for the list of services that may be available to the user, but no one that I know of is doing that yet.
Chris
Personal: http://factoryjoe.com
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina
This email is: [ ] shareable [X] ask first [ ] private
Reply all
Reply to author
Forward
0 new messages