[foaf-protocols] security problem with libAuthenticate

Story Henry henry.story at bblfish.net
Thu Feb 4 18:13:10 CET 2010


On 4 Feb 2010, at 17:59, Pierre-Antoine Champin wrote:

> Hi,
> 
> I supervise some students working on a FOAF+SLL project.
> 
> They played a little with foaf.me, and discovered what seems like a bug
> in foaf.me, probably in libAuthenticate:
> 
> the URI produced by foafssl.org (with the webid, the date and the
> signature), seems to be accepted forever, as if foaf.me didn't take the
> date into account.

Do you mean that it does not take the time limit of the certificate into account?
(That's quite possible, and we have recently argued that we should take those into account, so that one can produce certificate that are only valid for an hour or less even)

> 
> This is an issue, because if anyone intercepts this URI, they can log in
> as someone else on foaf.me without having any certificate at all!

Assuming you are speaking about the certificate, they would not only have to intercept the certificate, but also the private key. That is usually held securely in the browser. It could be held even more securely in a crypto USB stick on a write only partition.

> Should
> foaf.me / libAuthenticate refuse the URI when its date is too old (i.e.
> more than a few minutes).

it should refuce a certificate whose time has expired.

> 
> Btw, wouldn't it be a good idea to include the IP address in the URI
> generated by foaf+ssl, which would make identity spoofing even harder?

No, I think that would not solve the problem. 
But when foaf.me is more seriously it should certainly be behind https

Henry


>  pa
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols



More information about the foaf-protocols mailing list