[foaf-protocols] security problem with libAuthenticate

Story Henry henry.story at bblfish.net
Thu Feb 4 18:51:47 CET 2010


On 4 Feb 2010, at 18:28, Pierre-Antoine Champin wrote:

> On 04/02/2010 18:13, Story Henry wrote:
>> 
>> On 4 Feb 2010, at 17:59, Pierre-Antoine Champin wrote:
>> 
>>> Hi,
>>> 
>>> I supervise some students working on a FOAF+SLL project.
>>> 
>>> They played a little with foaf.me, and discovered what seems like a
>>> bug in foaf.me, probably in libAuthenticate:
>>> 
>>> the URI produced by foafssl.org (with the webid, the date and the 
>>> signature), seems to be accepted forever, as if foaf.me didn't take
>>> the date into account.
>> 
>> Do you mean that it does not take the time limit of the certificate
>> into account? (That's quite possible, and we have recently argued
>> that we should take those into account, so that one can produce
>> certificate that are only valid for an hour or less even)
> 
> No, that is not what I meant.
> 
> When you log in with foafssl.org, it redirects you to a URI of the type
> (I add spaces for readability)
> 
>  http://original.site/? webid=xxxx & date=yyyy & signature=zzzz
> 
> Now, if yyyy is actually 2010-02-04T18:21:43, then on the next day (or
> even the next hour), this URI should not be working anymore. Or else,
> anybody intercepting the URI would be able to log in as xxxx at any
> time, without even connecting to foafssl.org, just pretending to have
> done so, since the signature zzzz would still be valid.
> 
> And that is actually what my students did. One of them put the URI in a
> PDF document, as an example. Then, the week after, when reading the PDF,
> I clicked on the URI, and was logged in to foaf.me as my student!

Ah yes :-)

That is what we put the time stamp in there for. And also the signature="" signs the redirected to URL (ie all - the signature) with the private key of foafssl.org, so that one cannot fake that.

So yes, foaf.me should not allow that URL to be used for more than a certain amount of time (5 minutes?). I think because foaf.me currently does not have much in the way of security, that this functionality may not have been implemented. (Meaning that I don't know if the code on foafssl.org is really correct).

> So I think limiting the validity of those URIs is a must. And in
> addition, putting the IP address of the client in the URI would make it
> even less "reusable" -- though I know that IP spoofing is possible, of
> course...

I understand you now. Yes, that could be added.... (I wonder if it could also lead to some weird behaviours too)

In the end of course it is better for foaf.me and similar sites to implement all in https. (Foaf.me can do that, they were just helping us test the concept of an idp)

Thanks for the feedback! Well spotted by your student. He deserves extra points for that. :-)

Henry


>  pa



More information about the foaf-protocols mailing list