[foaf-protocols] security problem with libAuthenticate
Pierre-Antoine Champin
swlists-040405 at champin.net
Thu Feb 4 18:28:50 CET 2010
On 04/02/2010 18:13, Story Henry wrote:
>
> On 4 Feb 2010, at 17:59, Pierre-Antoine Champin wrote:
>
>> Hi,
>>
>> I supervise some students working on a FOAF+SLL project.
>>
>> They played a little with foaf.me, and discovered what seems like a
>> bug in foaf.me, probably in libAuthenticate:
>>
>> the URI produced by foafssl.org (with the webid, the date and the
>> signature), seems to be accepted forever, as if foaf.me didn't take
>> the date into account.
>
> Do you mean that it does not take the time limit of the certificate
> into account? (That's quite possible, and we have recently argued
> that we should take those into account, so that one can produce
> certificate that are only valid for an hour or less even)
No, that is not what I meant.
When you log in with foafssl.org, it redirects you to a URI of the type
(I add spaces for readability)
http://original.site/? webid=xxxx & date=yyyy & signature=zzzz
Now, if yyyy is actually 2010-02-04T18:21:43, then on the next day (or
even the next hour), this URI should not be working anymore. Or else,
anybody intercepting the URI would be able to log in as xxxx at any
time, without even connecting to foafssl.org, just pretending to have
done so, since the signature zzzz would still be valid.
And that is actually what my students did. One of them put the URI in a
PDF document, as an example. Then, the week after, when reading the PDF,
I clicked on the URI, and was logged in to foaf.me as my student!
So I think limiting the validity of those URIs is a must. And in
addition, putting the IP address of the client in the URI would make it
even less "reusable" -- though I know that IP spoofing is possible, of
course...
pa
More information about the foaf-protocols
mailing list