thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
[personal profile] thorfinn

Hello, especially to anyone reading me who is on LiveJournal. LJ have recently started purging accounts that are idle inactive/suspended (Edited for accuracy).

This means that those account names can be claimed by people other than the original owner. (ETA: This has already been the case since 2005 with deleted accounts and renames, apparently, but I failed to notice that.)

Unfortunately, this fundamentally breaks the trust relationship of OpenID - which is based around the URL of the logging in site. Essentially, I cannot trust that the OpenID user http://thorfinn.livejournal.com/ will remain to be the original user, without continuously checking that that is so. I can't do that for more than a few users, so essentially, my only effective solution is to be unable to trust any OpenID from livejournal.com.

So, because I cannot trust OpenIDs from livejournal.com, I cannot allow those OpenIDs to access my DW content. This means if you are on LJ, you will be unable to see my locked posts on DW, even if you log in using OpenID.

Most of you will get to read the post anyway, because I will keep cross-posting to LJ, but as I will not be allowing comments on LJ, there will be no commenting.

In short, I'm sorry for the inconvenience, but due to the lack of security of LJ OpenID introduced made even worse by this new policy, I can't allow LJ OpenIDs access to Dreamwidth directly.

If you wish to discuss anything in my locked posts, then come to Dreamwidth. For further references, see:

(no subject)

Date: 2010-07-21 05:57 (UTC)
From: [identity profile] http://www.google.com/profiles/yakboy
I do think your beef is valid, but it's worth noting is that LJ aren't purging *idle* accounts, they are purging *never started* accounts.

That is, only accounts that have zero entries (other than the automatic welcome entry) *and* haven't been logged into for 2 years.

But, as I say, the issue is still valid because some people may have used LJ accounts purely for commenting (meaning that they will be purged despite possibly being highly active in the wider LJ/OpenID community).

Also, suspended accounts are getting purged as well, which is a whole different kettle of fish.

(no subject)

Date: 2010-07-21 06:01 (UTC)
From: [personal profile] ex_hestia888
Wow. I haven't looked at my DW account in so long I couldn't remember my username or password. Thanks for posting this on LJ too. Thanks to that I got curious and had another look over here and see lots more people have migrated than I had realised.

OpenID not quite that broken ...

Date: 2010-07-21 06:34 (UTC)
From: [personal profile] subtle_eye

XRIs are a new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms—i-names and i-numbers—that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way, both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.

Interesting mechanism ... somehow I doubt LJ have bothered to implement it though ...

Re: OpenID not quite that broken ...

Date: 2010-07-22 13:43 (UTC)
pauamma: Cartooney crab holding drink (Default)
From: [personal profile] pauamma
LJ didn't. While this may sound surprising (because LJ accounts *have* immutable, never-reassigned numbers), using userids instead of usernames would break some valid uses, like switching usernames foo and bar (owned by the same person) and wanting to use the new bar for OpenID access to resources the old bar had access to instead of having to use the new foo.

(no subject)

Date: 2010-07-21 10:48 (UTC)
ms_kismet: (Default)
From: [personal profile] ms_kismet
I guess that mean that I should get you to add my DW account at some point in time then :)

I don't know how much I'll really use this as you, Sharplittlteeth and Qamar are really the only ones I know how are really using the system and I'm more reading/commenting than posting currently anyway.

That may change one day, but right now, it's a split deck, so I'll keep on doing what I'm doing until I can't. :)

(no subject)

Date: 2010-07-22 06:36 (UTC)
gths: (Whoever Designed This Weapon)
From: [personal profile] gths
Well, fortunately I haven't had to give money to whichever band of clowns currently owns LJ for a while, since I got a permanent account five years ago or whenever that was. Certainly long ago that I've gotten my money's worth and that it's probably been spent. Still got a few people on the LJ who are all "well I'm not getting a DW account just because you all are", but keeping the two synched is pretty easy.

(no subject)

Date: 2010-07-22 08:46 (UTC)
ms_kismet: (Default)
From: [personal profile] ms_kismet
I fully understood your (and many other peoples) choice to move. I'm just a lazy blogger who just hasn't been bothered to do the same myself as yet. The configuration and setup involved with fully migrating over is rather time consuming from what I've seen so far and sadly, I don't have the time online that I used to anymore. Real life is getting in the way!

I figure, right now, I'm not paying LJ money anymore and eventually I may migrate over fully, but for now, at least I can comment without worrying about openID from lj not being fantastic.

(no subject)

Date: 2010-07-21 11:56 (UTC)
From: [personal profile] lnr

According to this definition:

To clarify, an inactive personal journal refers to any journal that has not been logged into for two consecutive years using any method of logging in, such as logging in while posting a comment, AND contains either no posts at all or only the LiveJournal welcome post.

So no-one who has actually *used* their LJ should ever be deleted as inactive. Although they may choose to delete their own journal themselves.

As far as I understand the situation it has always been the case that a name could be reused sufficiently long after an LJ account has been deleted, and this latest change just means there will be slightly more deleted accounts than previously. In other words the insecurity has always been there, you just hadn't realised before. Of course that doesn't mean you shouldn't act on it if you think it's necessary.

If you can trust me not to delete my own LJ without informing you I've done so then you could continue to trust my openid. But I'll understand if you need a technical trust mechanism rather than a human one.

Generally where friends have moved to DW, especially where comments have moved here, I read them here rather the on LJ. It's been good that I haven't had to waste DW's namespace by getting an essentially empty account in order to do so. It would be sad if I end up having to do that, or miss out.

(no subject)

Date: 2010-07-21 13:48 (UTC)
vatine: Generated with some CL code and a hand-designed blackletter font (Default)
From: [personal profile] vatine
Back in the dark mists of time, LJ had an explicit policy of never allowing name re-use, but I can't say I've checked how that's evolved over the years.

(no subject)

Date: 2010-07-21 14:36 (UTC)
From: [personal profile] lnr
I seem to remember it being possible years back, but can't quantify that exactly.

The page which lists newly available (ie deleted and purged) account names has existed since at least mid-2007:

http://web.archive.org/web/*/http://www.livejournal.com/misc/expunged_list.bml

It looks like it wasn't possible to reuse a username in December 2004:

http://web.archive.org/web/20041216132254/http://www.livejournal.com/support/faqbrowse.bml?faqid=127

But has been possible since at least March 2006:

http://web.archive.org/web/20060318105519/http://www.livejournal.com/support/faqbrowse.bml?faqid=127

(no subject)

Date: 2010-07-21 14:40 (UTC)
vatine: Generated with some CL code and a hand-designed blackletter font (Default)
From: [personal profile] vatine
I probably checked around September-October 2003 (based on when I did my first LJ post) and haven't paid much attention since.

(no subject)

Date: 2010-07-21 17:06 (UTC)
pauamma: Cartooney crab holding drink (Default)
From: [personal profile] pauamma
Renaming (for a fee) to the username of a deleted and purged account was already available in 2005 (on LJ).
From: (Anonymous)
If not, no one should be using OpenID or promoting it for anything _anyway_, so this would be a non-issue....

(no subject)

Date: 2010-07-21 17:17 (UTC)
pauamma: Cartooney crab holding drink (Default)
From: [personal profile] pauamma
This is not a new problem. Consider the following:
- You give http://bradfitzindrag.livejournal.com/ some access to your DW journal. (Commenting, tagging entries, whatever.)
- I get tired of that account and delete it.
- After it's purged, someone coughs up the $15 and snarfs the name.

Granted, the remedy you chose takes care of that as well, but saying "it can happen now that LJ is purging suspended and inactive accounts" looks slightly disingenuous to me.

(no subject)

Date: 2010-07-22 17:37 (UTC)
pauamma: Cartooney crab holding drink (Default)
From: [personal profile] pauamma
BTW, just came across http://community.livejournal.com/lj_releases/59530.html. Coincidence? You decide. :-)

(no subject)

Date: 2010-07-30 02:23 (UTC)
blithespirit: (Default)
From: [personal profile] blithespirit
Thanks for posting about this. I'm not sure what I need to change in my Dreamwidth settings to stop LJ OpenIDs from accessing Dreamwidth?

Cheers!

(no subject)

Date: 2010-08-22 11:47 (UTC)
bens_dad: (Default)
From: [personal profile] bens_dad
Dream Width are about to allow reuse of old usernames and thus have the same problem http://dw-news.dreamwidth.org/23982.html?thread=2661550#cmt2661550

They say they are looking at a feature of OpenID 2.0 which will help
http://dw-news.dreamwidth.org/23982.html?thread=2663854#cmt2663854
http://dw-news.dreamwidth.org/23982.html?thread=2664622#cmt2664622

I'm not happy that they place reuse of account names above security of OpenId.

September 2014

S M T W T F S
 123456
78910111213
14151617181920
2122232425 2627
282930    

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags