[foaf-protocols] security problem with libAuthenticate

Pierre-Antoine Champin swlists-040405 at champin.net
Thu Feb 4 17:59:57 CET 2010


I supervise some students working on a FOAF+SLL project.

They played a little with foaf.me, and discovered what seems like a bug
in foaf.me, probably in libAuthenticate:

the URI produced by foafssl.org (with the webid, the date and the
signature), seems to be accepted forever, as if foaf.me didn't take the
date into account.

This is an issue, because if anyone intercepts this URI, they can log in
as someone else on foaf.me without having any certificate at all! Should
foaf.me / libAuthenticate refuse the URI when its date is too old (i.e.
more than a few minutes).

Btw, wouldn't it be a good idea to include the IP address in the URI
generated by foaf+ssl, which would make identity spoofing even harder?


More information about the foaf-protocols mailing list