thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
thorfinn ([personal profile] thorfinn) wrote2010-07-21 12:49 pm
Entry tags:

LJ - Purging Accounts = Even More Broken OpenID

Hello, especially to anyone reading me who is on LiveJournal. LJ have recently started purging accounts that are idle inactive/suspended (Edited for accuracy).

This means that those account names can be claimed by people other than the original owner. (ETA: This has already been the case since 2005 with deleted accounts and renames, apparently, but I failed to notice that.)

Unfortunately, this fundamentally breaks the trust relationship of OpenID - which is based around the URL of the logging in site. Essentially, I cannot trust that the OpenID user http://thorfinn.livejournal.com/ will remain to be the original user, without continuously checking that that is so. I can't do that for more than a few users, so essentially, my only effective solution is to be unable to trust any OpenID from livejournal.com.

So, because I cannot trust OpenIDs from livejournal.com, I cannot allow those OpenIDs to access my DW content. This means if you are on LJ, you will be unable to see my locked posts on DW, even if you log in using OpenID.

Most of you will get to read the post anyway, because I will keep cross-posting to LJ, but as I will not be allowing comments on LJ, there will be no commenting.

In short, I'm sorry for the inconvenience, but due to the lack of security of LJ OpenID introduced made even worse by this new policy, I can't allow LJ OpenIDs access to Dreamwidth directly.

If you wish to discuss anything in my locked posts, then come to Dreamwidth. For further references, see:

[identity profile] http://www.google.com/profiles/yakboy 2010-07-21 05:57 am (UTC)(link)
I do think your beef is valid, but it's worth noting is that LJ aren't purging *idle* accounts, they are purging *never started* accounts.

That is, only accounts that have zero entries (other than the automatic welcome entry) *and* haven't been logged into for 2 years.

But, as I say, the issue is still valid because some people may have used LJ accounts purely for commenting (meaning that they will be purged despite possibly being highly active in the wider LJ/OpenID community).

Also, suspended accounts are getting purged as well, which is a whole different kettle of fish.

[personal profile] ex_hestia888 2010-07-21 06:01 am (UTC)(link)
Wow. I haven't looked at my DW account in so long I couldn't remember my username or password. Thanks for posting this on LJ too. Thanks to that I got curious and had another look over here and see lots more people have migrated than I had realised.

OpenID not quite that broken ...

[personal profile] subtle_eye 2010-07-21 06:34 am (UTC)(link)

XRIs are a new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms—i-names and i-numbers—that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way, both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.

Interesting mechanism ... somehow I doubt LJ have bothered to implement it though ...

[personal profile] ms_kismet 2010-07-21 10:48 am (UTC)(link)
I guess that mean that I should get you to add my DW account at some point in time then :)

I don't know how much I'll really use this as you, Sharplittlteeth and Qamar are really the only ones I know how are really using the system and I'm more reading/commenting than posting currently anyway.

That may change one day, but right now, it's a split deck, so I'll keep on doing what I'm doing until I can't. :)
lnr: Halloween 2023 (Default)

[personal profile] lnr 2010-07-21 11:56 am (UTC)(link)

According to this definition:

To clarify, an inactive personal journal refers to any journal that has not been logged into for two consecutive years using any method of logging in, such as logging in while posting a comment, AND contains either no posts at all or only the LiveJournal welcome post.

So no-one who has actually *used* their LJ should ever be deleted as inactive. Although they may choose to delete their own journal themselves.

As far as I understand the situation it has always been the case that a name could be reused sufficiently long after an LJ account has been deleted, and this latest change just means there will be slightly more deleted accounts than previously. In other words the insecurity has always been there, you just hadn't realised before. Of course that doesn't mean you shouldn't act on it if you think it's necessary.

If you can trust me not to delete my own LJ without informing you I've done so then you could continue to trust my openid. But I'll understand if you need a technical trust mechanism rather than a human one.

Generally where friends have moved to DW, especially where comments have moved here, I read them here rather the on LJ. It's been good that I haven't had to waste DW's namespace by getting an essentially empty account in order to do so. It would be sad if I end up having to do that, or miss out.

Did they ever fix the phishing problem with openid?

(Anonymous) 2010-07-21 04:21 pm (UTC)(link)
If not, no one should be using OpenID or promoting it for anything _anyway_, so this would be a non-issue....
pauamma: Cartooney crab wearing hot pink and acid green facemask holding drink with straw (Default)

[personal profile] pauamma 2010-07-21 05:17 pm (UTC)(link)
This is not a new problem. Consider the following:
- You give http://bradfitzindrag.livejournal.com/ some access to your DW journal. (Commenting, tagging entries, whatever.)
- I get tired of that account and delete it.
- After it's purged, someone coughs up the $15 and snarfs the name.

Granted, the remedy you chose takes care of that as well, but saying "it can happen now that LJ is purging suspended and inactive accounts" looks slightly disingenuous to me.
pauamma: Cartooney crab wearing hot pink and acid green facemask holding drink with straw (Default)

[personal profile] pauamma 2010-07-22 05:37 pm (UTC)(link)
BTW, just came across http://community.livejournal.com/lj_releases/59530.html. Coincidence? You decide. :-)
blithespirit: (Default)

[personal profile] blithespirit 2010-07-30 02:23 am (UTC)(link)
Thanks for posting about this. I'm not sure what I need to change in my Dreamwidth settings to stop LJ OpenIDs from accessing Dreamwidth?

Cheers!
bens_dad: (Default)

[personal profile] bens_dad 2010-08-22 11:47 am (UTC)(link)
Dream Width are about to allow reuse of old usernames and thus have the same problem http://dw-news.dreamwidth.org/23982.html?thread=2661550#cmt2661550

They say they are looking at a feature of OpenID 2.0 which will help
http://dw-news.dreamwidth.org/23982.html?thread=2663854#cmt2663854
http://dw-news.dreamwidth.org/23982.html?thread=2664622#cmt2664622

I'm not happy that they place reuse of account names above security of OpenId.