LJ - Purging Accounts = Even More Broken OpenID
Hello, especially to anyone reading me who is on LiveJournal. LJ have recently started purging accounts that are idle inactive/suspended (Edited for accuracy).
This means that those account names can be claimed by people other than the original owner. (ETA: This has already been the case since 2005 with deleted accounts and renames, apparently, but I failed to notice that.)
Unfortunately, this fundamentally breaks the trust relationship of OpenID - which is based around the URL of the logging in site. Essentially, I cannot trust that the OpenID user http://thorfinn.livejournal.com/ will remain to be the original user, without continuously checking that that is so. I can't do that for more than a few users, so essentially, my only effective solution is to be unable to trust any OpenID from livejournal.com.
So, because I cannot trust OpenIDs from livejournal.com, I cannot allow those OpenIDs to access my DW content. This means if you are on LJ, you will be unable to see my locked posts on DW, even if you log in using OpenID.
Most of you will get to read the post anyway, because I will keep cross-posting to LJ, but as I will not be allowing comments on LJ, there will be no commenting.
In short, I'm sorry for the inconvenience, but due to the lack of security of LJ OpenID introduced made even worse by this new policy, I can't allow LJ OpenIDs access to Dreamwidth directly.
If you wish to discuss anything in my locked posts, then come to Dreamwidth. For further references, see:
no subject
That is, only accounts that have zero entries (other than the automatic welcome entry) *and* haven't been logged into for 2 years.
But, as I say, the issue is still valid because some people may have used LJ accounts purely for commenting (meaning that they will be purged despite possibly being highly active in the wider LJ/OpenID community).
Also, suspended accounts are getting purged as well, which is a whole different kettle of fish.
(no subject)
no subject
OpenID not quite that broken ...
Interesting mechanism ... somehow I doubt LJ have bothered to implement it though ...
Re: OpenID not quite that broken ...
Re: OpenID not quite that broken ...
no subject
I don't know how much I'll really use this as you, Sharplittlteeth and Qamar are really the only ones I know how are really using the system and I'm more reading/commenting than posting currently anyway.
That may change one day, but right now, it's a split deck, so I'll keep on doing what I'm doing until I can't. :)
(no subject)
(no subject)
(no subject)
(no subject)
no subject
According to this definition:
So no-one who has actually *used* their LJ should ever be deleted as inactive. Although they may choose to delete their own journal themselves.
As far as I understand the situation it has always been the case that a name could be reused sufficiently long after an LJ account has been deleted, and this latest change just means there will be slightly more deleted accounts than previously. In other words the insecurity has always been there, you just hadn't realised before. Of course that doesn't mean you shouldn't act on it if you think it's necessary.
If you can trust me not to delete my own LJ without informing you I've done so then you could continue to trust my openid. But I'll understand if you need a technical trust mechanism rather than a human one.
Generally where friends have moved to DW, especially where comments have moved here, I read them here rather the on LJ. It's been good that I haven't had to waste DW's namespace by getting an essentially empty account in order to do so. It would be sad if I end up having to do that, or miss out.
(no subject)
(no subject)
(no subject)
(no subject)
(no subject)
Did they ever fix the phishing problem with openid?
(Anonymous) 2010-07-21 04:21 pm (UTC)(link)no subject
- You give http://bradfitzindrag.livejournal.com/ some access to your DW journal. (Commenting, tagging entries, whatever.)
- I get tired of that account and delete it.
- After it's purged, someone coughs up the $15 and snarfs the name.
Granted, the remedy you chose takes care of that as well, but saying "it can happen now that LJ is purging suspended and inactive accounts" looks slightly disingenuous to me.
(no subject)
no subject
(no subject)
no subject
Cheers!
(no subject)
no subject
They say they are looking at a feature of OpenID 2.0 which will help
http://dw-news.dreamwidth.org/23982.html?thread=2663854#cmt2663854
http://dw-news.dreamwidth.org/23982.html?thread=2664622#cmt2664622
I'm not happy that they place reuse of account names above security of OpenId.