So here it is, the long-awaited post on why we don't think YADIS is the best thing since sliced bread. For convenience, let us define some generic terms:
Anysite - a website that we wish to authenticate ourselves to using YADIS.
Dodgysite - a website designed to do bad things - phishing, dropping viruses, that kind of nonsense.
Trustedsite - a website that we trust a lot.
YadisProvider - a site that verifies YADIS credentials.
Source for much of this discussion was The problems with Openid, published by Stefan Brands in August 2007. Interpretations are entirely our own.
What's this YADIS anyway?
Let's begin at the beginning. When it was first put forward in May 2005, YADIS was only designed for trivial identity validation - authentication for blog comments, and, er, that's about it. In the words of initial developer Bradley Fitzpatrick, The goal of this is for sites that do care about preventing spoofed comments/identities to be able to do so, if they play along. Anything beyond this is strictly out of the design scope for YADIS.
In its original form, YADIS weighed assertions in a FOAF file. The mechanism was moderately sensible, and is summarised as follows:
-- Your FOAF file points to your chosen identity server.
-- Your identity server is responsible for telling the rest of the world if you're you or not, and only telling people you've granted this permission.
-- Web clients find your FOAF URL (either directly or via weblinks), fetch your FOAF, find your identity server, then ask the identity server if you are who you said you are.
-- If you're not, or you're not logged in, or you haven't setup trust, the identity server tells the client "I can't tell you". So client redirects user. User sets up trust on identity server, goes back to site, logs in again.
-- Your global identifier throughout the web is your FOAF URL. So you also choose how much info you do or do not want to share in there.
-- If you don't trust LiveJournal to be your identity server, run your own identity server, and point your FOAF at that. Or use somebody you trust more.
Fitzpatrick, 16.05.05
We need to remember that YADIS doesn't do a lot of things, and actually does very little. It does not authenticate users to websites. It does not authenticate users to their YADIS provider. All it does is authenticate the YADIS provider to the website by passing a particular URL. The assumption underlying the entire system is that controlling the URL is a valid credential. This is a very, very weak assertion, far less powerful than Mr. Fitzpatrick and other YADIS proponents wish to believe.
Within two days, Mr. Fitzpatrick had moved the goalposts. YADIS would be hosted on the existing servers of openid.net, a domain looking for a technology to sponsor. He also dropped the use of FOAF entirely, preferring to mess about with URLs and code in the <HEAD> element.
This was an error. FOAFs come in all shapes and sizes. URLs are all alike, and rely on DNS functioning correctly. If there's some network problem with DNS servers (not unknown), YADIS stops working. If the DNS servers get poisoned, YADIS can be redirected to Dodgysite. If a particularly nasty virus were to infect a machine and drop code to bodges the DNS, it redirects everything from YadisProvider to Dodgysite. If YadisProvider is down for whatever reason, you can't validate to any site. It also shifts the burden required to escape the system from amending one's FOAF file (which is generally possible, if not obvious) to amending HTML headers (generally regarded as impossible).
So, how does YADIS work?
In practice, YADIS should work a little like this:
1) We ask to use YADIS on Anysite.
2) Anysite finds that we're using YadisProvider.
3) Anysite passes a credential to our browser, and throws us to YadisProvider.
4) We see a page from YadisProvider asking for our password and/or to approve Anysite, and give the OK.
5) YadisProvider gives our browser another credential, and throws us back to Anysite.
6) Anysite now knows who controls that bit of YadisProvider.
7) If Anysite trusts YadisProvider, it can now make an assumption that we are who we claim to be.
There is an utterly trivial level of phishing attack.
1) We ask to use YADIS on Dodgysite.
2) Dodgysite finds that we're using YadisProvider.
3) Dodgysite pretends to be us, and pulls down the credentials page from YadisProvider.
4) We think we're seeing the page from YadisProvider, and enter our details as normal.
5) Dodgysite accepts our credentials without reference to YadisProvider.
6) Dodgysite now has our logon details for YadisProvider, and can use them for fun and profit.
By one simple man-in-the-middle attack, everything validated by YadisProvider is compromised, and possibly compromised forever. Now, no slightly competent YadisProvider would allow themselves to be hijacked in this way, but there is scope to build a more complex attack.
This becomes even more worrysome when combined with the Trust this site option. At step 4 of the proper logon process, it's possible to say, I trust Trustedsite, and don't bother to ask me about Trustedsite ever again. If Dodgysite can somehow pretend to be Trustedsite, then YadisProvider will allow identity details to be released to Dodgysite.
There is almost certainly some scope for XSS attacks. We don't fully understand XSS, so we'll leave the discussion at a basic level.
Does YADIS protect your privacy?
Not really. Recycled accounts are perhaps the least of our worries. You sign up on (say) Livejournal for account blatant_example. Unknown to you, blatant_example was previously deleted three months ago, and they trusted all sorts of strange sites. It's possible (not certain, but possible) that some sites will still use these old credentials.
But there are other questions. What records does YadisProvider keep? Because YadisProvider gets a credential (step 3 of the logon process), it can track which sites you're visiting, and which sites you trust. An unscrupulous YadisProvider would be able to abuse these records for their own profit.
YadisProvider is also able to force people to trust sites. Unlike the two theoretical examples above, we have a concrete instance of this happening. Back in May 2007, Six Apart's Livejournal forced all its customers to trust various Russian sites, no matter whether they actually trusted those sites. If customers didn't like this, they were told that they could always log themselves out of Livejournal, which smacks of the BBC's advice to Mrs. Whitehouse.
Further questions of trust arise. Do you trust these people not to have holes in their security systems? If a YadisProvider were ever to be compromised, all of the accounts from that provider would instantly and permanently become worthless.
Do you trust these sites not to pretend to be you on other websites? Remember: it's not just the regular staff you have to be worried about, it could be a hacker, a virus, an employee with a grudge... If you subsequently decide you don't trust these websites, can you rescind your account at the flick of a switch? And do you trust these sites to be using the web forever? If YadisProvider disappears from the world, every site it validated through YADIS is thrown into confusion. If we had a tenner every time a site we liked disappeared into the ether, we'd be spectacularly rich by now.
Do you trust SUP? Do you trust Yahoo? AOL? Six Apart? (Really?) Do you trust Dodgysite? Anyone can be YadisProvider. Suppose that you run Anysite, and someone from Dodgysite tries to logon using YADIS. As normal, you ask Dodgysite for their YadisProvider, which turns out to be Dodgysite. You're being asked to trust Dodgysite on the say-so of Dodgysite. It's no better than My word is my bond, the very circle that YADIS was set up to escape.
Summing up
The basic idea of YADIS had a little merit. The design goal - as best we can tell - was based on a focus group of one person, who didn't want to log himself onto lots of blogs. We cannot rule out the possibility that the move from FOAF to HTML pages was done at the behest of Six Apart, his then employer, who like nothing more than to screw their customers out of every penny they can. There's been no coherent plan behind the development of YADIS, and it shows.
As much as Mr. Fitzpatrick and his acolytes say that YADIS does not require trust, it has to. It requires trust that the provider is competent (and we will spell it out: Livejournal is not competent). It requires trust that both ends are operating honestly (again, let us spell it out: Six Apart cannot be trusted). It requires trust that no fourth-party attack has broken in, or will break in, or can break in.
We cannot recommend anyone uses YADIS beyond the sort of utterly trivial flim-flammery that you don't mind losing if compromised. In particular, this precludes YADIS against anything to do with money, or health, or Sensitive Personal Data, or email, or simply anything that would cause more than very minor embarrassment. For instance, we do not trust YADIS to provide sufficient security for the contents of our private blog. Being slightly selfish, we prize our honour a little more highly than our readers' convenience. There's also the little matter of our being consistent: it would be bizarre in the extreme to use a process that we do not trust to produce results that we do trust. Our brains will not leap that logical gap.
It is our preference not to use YADIS to authenticate ourselves for disposable comments. We believe it is unsafe to use YADIS for anything that will still be there in the morning. We are yet to be convinced that it is possible to build YADIS into something that can address the majority of these concerns.
Owing to the grave downside and negligible upside, we find it prudent to ensure that we do not have this particular sword hanging over our heads. This will include declining services that insist on foisting a YADIS account on us without a viable option to disable it. Yahoo has it right - it is necessary to specifically enable YADIS on their accounts. Livejournal's implementation - overseen by Mr. Fitzpatrick himself - is wrong, wrong, wrong.
What would it take to convince us that YADIS had worth? At the very least, the technology needs to be phishing-proof, carry some meaningful privacy for the user, and not fit the description of being a glorified DNS lookup. It's tricky to imagine how the algorithm can meet this requirement without a fundamental re-design.
