LJ - Purging Accounts = Even More Broken OpenID

[thorfinn]

Hello, especially to anyone reading me who is on LiveJournal. LJ have recently started purging accounts that are idle inactive/suspended (Edited for accuracy).

This means that those account names can be claimed by people other than the original owner. (ETA: This has already been the case since 2005 with deleted accounts and renames, apparently, but I failed to notice that.)

Unfortunately, this fundamentally breaks the trust relationship of OpenID - which is based around the URL of the logging in site. Essentially, I cannot trust that the OpenID user http://thorfinn.livejournal.com/ will remain to be the original user, without continuously checking that that is so. I can't do that for more than a few users, so essentially, my only effective solution is to be unable to trust any OpenID from livejournal.com.

So, because I cannot trust OpenIDs from livejournal.com, I cannot allow those OpenIDs to access my DW content. This means if you are on LJ, you will be unable to see my locked posts on DW, even if you log in using OpenID.

Most of you will get to read the post anyway, because I will keep cross-posting to LJ, but as I will not be allowing comments on LJ, there will be no commenting.

In short, I'm sorry for the inconvenience, but due to the lack of security of LJ OpenID introduced made even worse by this new policy, I can't allow LJ OpenIDs access to Dreamwidth directly.

If you wish to discuss anything in my locked posts, then come to Dreamwidth. For further references, see:

• my post on why I dumped LJ in the first place
• A guide to Dreamwidth for LiveJournal users
• DW Codesharing for obtaining an invite code

Comments

[http://www.google.com/profiles/yakboy]

I do think your beef is valid, but it's worth noting is that LJ aren't purging *idle* accounts, they are purging *never started* accounts.

That is, only accounts that have zero entries (other than the automatic welcome entry) *and* haven't been logged into for 2 years.

But, as I say, the issue is still valid because some people may have used LJ accounts purely for commenting (meaning that they will be purged despite possibly being highly active in the wider LJ/OpenID community).

Also, suspended accounts are getting purged as well, which is a whole different kettle of fish.

[thorfinn]

Right, post edited for clarification. :-) Essential problem still stands - the OpenID for any given user may change to become someone else.

I'm fine with that for people making comments, really, since they're relatively ephemeral, but I'm not fine with that when it comes to access filters.

[ex_hestia888]

Wow. I haven't looked at my DW account in so long I couldn't remember my username or password. Thanks for posting this on LJ too. Thanks to that I got curious and had another look over here and see lots more people have migrated than I had realised.

OpenID not quite that broken ...

[subtle_eye]

XRIs are a new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms—i-names and i-numbers—that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way, both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.

Interesting mechanism ... somehow I doubt LJ have bothered to implement it though ...

Re: OpenID not quite that broken ...

[thorfinn]

Yep. That's the problem, innit. It's not OpenID per se, it's LJ's broken use thereof.

Re: OpenID not quite that broken ...

[pauamma]

LJ didn't. While this may sound surprising (because LJ accounts *have* immutable, never-reassigned numbers), using userids instead of usernames would break some valid uses, like switching usernames foo and bar (owned by the same person) and wanting to use the new bar for OpenID access to resources the old bar had access to instead of having to use the new foo.

[ms_kismet]

I guess that mean that I should get you to add my DW account at some point in time then :)

I don't know how much I'll really use this as you, Sharplittlteeth and Qamar are really the only ones I know how are really using the system and I'm more reading/commenting than posting currently anyway.

That may change one day, but right now, it's a split deck, so I'll keep on doing what I'm doing until I can't. :)

[thorfinn]

(-:

I could maintain my own blogging by hand (with the odd bit of script programming), and have the data backups sufficient to recreate all of my blog content elsewhere. The reason I don't is that I prefer to pay someone else to do the work of software engineering and sysadmin hosting, hence a paid account.

So given I choose to have a paid account, it's a simple choice for me to supporting the rather excellent (and continuously improving) software development processes of DW rather than supporting the rather poor (and continuously degrading) software development processes of LJ.

I'm not *gone* from LJ - and have no intent of deleting my account there or any such thing. I just refuse to support them with money.

[gths]

Well, fortunately I haven't had to give money to whichever band of clowns currently owns LJ for a while, since I got a permanent account five years ago or whenever that was. Certainly long ago that I've gotten my money's worth and that it's probably been spent. Still got a few people on the LJ who are all "well I'm not getting a DW account just because you all are", but keeping the two synched is pretty easy.

[ms_kismet]

I fully understood your (and many other peoples) choice to move. I'm just a lazy blogger who just hasn't been bothered to do the same myself as yet. The configuration and setup involved with fully migrating over is rather time consuming from what I've seen so far and sadly, I don't have the time online that I used to anymore. Real life is getting in the way!

I figure, right now, I'm not paying LJ money anymore and eventually I may migrate over fully, but for now, at least I can comment without worrying about openID from lj not being fantastic.

[thorfinn]

Actually, it's very easy. Just set up the crossposting interface, start using DW to post instead of LJ, you're done. DW to LJ Crossposting FAQ: http://www.dreamwidth.org/support/faqbrowse?faqid=130

It's best to run the importer to import all old entries first, assuming you plan to import content at some point, but that's also very easy. LJ to DW Importing FAQ: http://www.dreamwidth.org/support/faqbrowse?faqid=127

[lnr]

According to this definition:

To clarify, an inactive personal journal refers to any journal that has not been logged into for two consecutive years using any method of logging in, such as logging in while posting a comment, AND contains either no posts at all or only the LiveJournal welcome post.

So no-one who has actually *used* their LJ should ever be deleted as inactive. Although they may choose to delete their own journal themselves.

As far as I understand the situation it has always been the case that a name could be reused sufficiently long after an LJ account has been deleted, and this latest change just means there will be slightly more deleted accounts than previously. In other words the insecurity has always been there, you just hadn't realised before. Of course that doesn't mean you shouldn't act on it if you think it's necessary.

If you can trust me not to delete my own LJ without informing you I've done so then you could continue to trust my openid. But I'll understand if you need a technical trust mechanism rather than a human one.

Generally where friends have moved to DW, especially where comments have moved here, I read them here rather the on LJ. It's been good that I haven't had to waste DW's namespace by getting an essentially empty account in order to do so. It would be sad if I end up having to do that, or miss out.

[vatine]

Back in the dark mists of time, LJ had an explicit policy of never allowing name re-use, but I can't say I've checked how that's evolved over the years.

[lnr]

I seem to remember it being possible years back, but can't quantify that exactly.

The page which lists newly available (ie deleted and purged) account names has existed since at least mid-2007:

http://web.archive.org/web/*/http://www.livejournal.com/misc/expunged_list.bml

It looks like it wasn't possible to reuse a username in December 2004:

http://web.archive.org/web/20041216132254/http://www.livejournal.com/support/faqbrowse.bml?faqid=127

But has been possible since at least March 2006:

http://web.archive.org/web/20060318105519/http://www.livejournal.com/support/faqbrowse.bml?faqid=127

[vatine]

I probably checked around September-October 2003 (based on when I did my first LJ post) and haven't paid much attention since.

[pauamma]

Renaming (for a fee) to the username of a deleted and purged account was already available in 2005 (on LJ).

[thorfinn]

*nod* I think the problem is not that I can't trust some individuals... It's that I don't have the time to be checking on every individual. I have well over 500 LJ friends, a number of whom have definitely not posted in some time, a number of whom I can be reasonably certain have poor security habits, and therefore it is entirely likely that their accounts will be suspended and eventually deleted and eventually reused.

You'll still be able to see friends locked posts over on LJ, because I will continue to crosspost. Seeing comments and commenting on those will require a real DW ID, unfortunately, because I've kept all comment threads over here. I may choose at some point to enable a few select users' OpenIDs, but that time is not now.

Unlocked posts will remain as is - I allow even anonymous comments, so OpenID is not that big a deal.

Did they ever fix the phishing problem with openid?

[(Anonymous)]

If not, no one should be using OpenID or promoting it for anything _anyway_, so this would be a non-issue....

[pauamma]

This is not a new problem. Consider the following:
- You give http://bradfitzindrag.livejournal.com/ some access to your DW journal. (Commenting, tagging entries, whatever.)
- I get tired of that account and delete it.
- After it's purged, someone coughs up the $15 and snarfs the name.

Granted, the remedy you chose takes care of that as well, but saying "it can happen now that LJ is purging suspended and inactive accounts" looks slightly disingenuous to me.

[thorfinn]

Good point - I had missed the fact that it was already possible. OTOH, it is a more common occurrence, and I guess only likely to become more and more common.

[pauamma]

BTW, just came across http://community.livejournal.com/lj_releases/59530.html. Coincidence? You decide. :-)

[thorfinn]

Ah! Heh, no, that seems unlikely to be coincidence. Okay, I guess I can probably turn on select LJ users shortly then. :-) Although I might keep a watch on that for a bit and wait until they've actually put whatever fix they're thinking about in.

[blithespirit]

Thanks for posting about this. I'm not sure what I need to change in my Dreamwidth settings to stop LJ OpenIDs from accessing Dreamwidth?

Cheers!

[thorfinn]

http://www.dreamwidth.org/manage/circle/edit

there may or may not be LJ OpenIDs in there - I think I have them because I told the importer to import my friends list stuff.

[bens_dad]

Dream Width are about to allow reuse of old usernames and thus have the same problem http://dw-news.dreamwidth.org/23982.html?thread=2661550#cmt2661550

They say they are looking at a feature of OpenID 2.0 which will help
http://dw-news.dreamwidth.org/23982.html?thread=2663854#cmt2663854
http://dw-news.dreamwidth.org/23982.html?thread=2664622#cmt2664622

I'm not happy that they place reuse of account names above security of OpenId.