Comments on: OpenIDs at LiveJournal leaking auth info http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/ Ideas on interconnections, identity, and information from all sides. Mon, 06 Oct 2008 12:42:16 +0000 http://wordpress.org/?v=2.5.1 By: joe http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13434 joe Fri, 25 May 2007 18:45:56 +0000 http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13434 SUP has a deal with livejournal, kommersant has a deal with SUP, but the end result is that my info is leaked without my authorization both to SUP and kommersant. What prevents kommersant from having a deal with some other company and leaking it even further? SUP has a deal with livejournal, kommersant has a deal with SUP, but the end result is that my info is leaked without my authorization both to SUP and kommersant. What prevents kommersant from having a deal with some other company and leaking it even further?

]]> By: Terrell Russell http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13423 Terrell Russell Fri, 25 May 2007 16:27:17 +0000 http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13423 So, Joe, this is to say that this isn't as much a leak in OpenID or LiveJournal's implementation of it - but rather, a business deal with ramifications. So, Joe, this is to say that this isn’t as much a leak in OpenID or LiveJournal’s implementation of it - but rather, a business deal with ramifications.

]]> By: joe http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13419 joe Fri, 25 May 2007 16:18:44 +0000 http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13419 Simon, thanks for the link to the preapproved web sites, kommersant.ru and livejournal.ru are not on the list. The whole thing is a side effect of SUP.com / LiveJournal deal, where the rights to service russian part of livejournal were given to a russian company. If you have livejournal account, sign into it and go to livejournal.ru and you will see your name in the top right corner. kommersant.ru has a deal with SUP / livejournal.ru to render comments. That means that even when you are not in russia you can be tracked by a moscow based company as you visit sites they have a deal with. Simon, thanks for the link to the preapproved web sites, kommersant.ru and livejournal.ru are not on the list. The whole thing is a side effect of SUP.com / LiveJournal deal, where the rights to service russian part of livejournal were given to a russian company. If you have livejournal account, sign into it and go to livejournal.ru and you will see your name in the top right corner. kommersant.ru has a deal with SUP / livejournal.ru to render comments.

That means that even when you are not in russia you can be tracked by a moscow based company as you visit sites they have a deal with.

]]> By: Simon Spero http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13334 Simon Spero Thu, 24 May 2007 16:34:17 +0000 http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13334 check_immediate should fail if the RP has not previously been approved. I haven't checked to see if this isn't being done, but LJ does check authorization if checkid_setup is used. The list of sites pre-authorized to check credentials can be edited at <a href="http://www.livejournal.com/openid/options.bml" rel="nofollow">http://www.livejournal.com/openid/options.bml</a> check_immediate should fail if the RP has not previously been approved. I haven’t checked to see if this isn’t being done, but LJ does check authorization if checkid_setup is used.

The list of sites pre-authorized to check credentials can be edited at http://www.livejournal.com/openid/options.bml

]]> By: Tara Kelly http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13333 Tara Kelly Thu, 24 May 2007 16:09:18 +0000 http://weblog.terrellrussell.com/2007/05/openids-at-livejournal-leaking-auth-info/#comment-13333 I have no idea if this rumor is true or not. Nonetheless - and I may be generalizing too much so someone flame me if I'm out of bounds - I would tend to think it's better to choose a *dedicated* OpenID provider than to just trust your blogging platform. Why? Because blogging platforms are specialized in blogs, whereas dedicated OpenID services are specialized in OpenID. There's a big difference there. Just my 2c. Cheers, Tara I have no idea if this rumor is true or not.

Nonetheless - and I may be generalizing too much so someone flame me if I’m out of bounds - I would tend to think it’s better to choose a *dedicated* OpenID provider than to just trust your blogging platform.

Why? Because blogging platforms are specialized in blogs, whereas dedicated OpenID services are specialized in OpenID. There’s a big difference there.

Just my 2c.
Cheers,
Tara

]]>