TypeKey is live (beta)
I ran into a site that is running MovableType 3.0 (beta1) with TypeKey support.
There is no public protocol doc yet (afaik), but here's a quick analysis attempt.
Let's start with some shameless plugs to my previous posts on web authentication, for some background on existing solutions. "Microsoft Passport 101" (a detailled explanation of Microsoft's protocol) and "Comment authentication" (an investigation on alternative protocols).
Now, let's dive into the details of TypeKey (which seems similar in design to Passport, but with less features/options and is more open).
Whenever you register an account, you can also enlist your blog. In that case a blog token is provided to you, for the blog urls you declare. It looks like "LjRd2DpifL51sB0iFeYT".
This token is passed in the authentication request (as the t parameter) along with return url (_return). The return url is checked against the blog urls you enlisted for.
So a login url follows this format (notice that the url is static for a given blog): https://www.typekey.com/t/typekey/login?t=<blog token>&_return=<return url>
The return request contains the time (epoch format) of the authentication (ts parameter), the TypeKey login name (name), some kind of hash of the email (email), the display name (nick) and a secure signature (sig).
So, after you authenticate with TypeKey, you are returned to a url like: <return url>&ts=<timestamp>&email=<hashed email>&name=<name>&nick=<display name>&sig=<crypto signature>
Real parameters would look like:
A SHA-1 hash is used for the email (like FOAF). I confirmed it by computing the SHA-1 hash for mailto:dumky at ifrance.com, and then also found out the url for my TypeKey FOAF file.
I'm not sure how the query string is signed yet, probably a PGP type signature. The blog token is probably involved, so that signatures can't be re-used from sites to sites.
If need_email=1 is part of the auth request, a consent checkbox is shown in the login prompt. In that case, a cleartext version of the email is returned instead of just a hash.
Idly.org uses this option.
Also, the TypeKey site will set a cookie that looks like:
Tp_commenter0 = b75783e8ef6b9433e014aed547fa028d
Since the TypeKey authentication occurs over SSL, I'm not sure why they didn't use a secure cookie.
Also, this cookie is set in the same domain all the UI is displayed (for account management), which might be a risk in terms of script injection.
For example, the Profile currently is vulnerable to a script injection (I notified the SixApart team as I did with similar problems with MovableType <2.64 and used my profile page as a demo), but lukily it resides in a separate domain profile.typekey.com instead of www.typekey.com.
Back onto the blog site two cookies are set, that look like:
Tp_commenter = PyL52XkB98cxSo2sE%3D%3AUvzQdLVyw38%20qJBIjKz4lj1HkDY%3D
Commenter_name = Julien%20Couvreur%20%28Dumky%29
If you hit the mt-comments.cgi on the blog site, with logout=1, you'll get logged out of the blog and bounced on the TypeKey logout url (https://www.typekey.com/t/typekey/logout?&_return=<return url>).
I'm not sure how the sign-out works when you logged into multiple sites, it might just not be supported.
Thank you for the rundown of the protocol, very nice information.
Perhaps you'll write another post about any weaknesses in the protocol you might perceive? It'd be nice to learn how or if the protocol can be hacked or exploited, if there is any possibility to impersonate someone else, etc?Posted by: Tomas (April 23, 2004 01:43 PM) ______________________________________
If I am not mistake, logout is specific to the blog you are following the "Sign out" link from and *not* a Type Key service wide logout.Posted by: Srijith (April 25, 2004 09:08 PM) ______________________________________
Tomas, I'll do that, probably after the official doc is published.
Srijith, that's what it looks like to me too. But for a good security and privacy handling, a single sign-on system should have a single sign-out ;-)Posted by: Dumky (April 26, 2004 09:44 AM) ______________________________________
Is an SSL URL forced?Posted by: Mike (August 5, 2004 04:15 PM) ______________________________________
I just upgraded a blogs www.jointeffects.com to MT 3.15, and can't send email notifications any more. The error I get:
Can't use string ("ARRAY(0x898e4cc)") as an ARRAY ref while "strict refs" in use at...
Seems that quite a few people have this problem.
Did anyone solve it yet?
Perhaps you'll write another post about any weaknesses in the protocol you might perceive? It'd be nice to learn how or if the protocol can be hacked or exploited, if there is any possibility to impersonate someone else, etc?Posted by: chris (January 25, 2006 09:41 AM)