Security/identity · 2010-04-21

Quick thoughts on XAuth

It’s the “common domain cookie” trick from Liberty ID-FF and SAML2, except without the notion of a circle of trust. (Thanks to Praveen for forging the CDC connection in my brain.)

Heh.

It’s yet another thing you have to opt out of instead of into. (To disable it, visit XAuth.org from each browser you use.)

Pamela is wise.

I was already getting tired of the “social web” about the end of 2009. Does that make me anti-social?

Ugh — seepage.

Tags:

You may also like...

6 Responses

  1. Robin Wilton says:
    2010-04-21 at 8:22 am

    Ah – so XAuth is just a “Circle”, then… ;^(

    Interesting. For me, the “Disable” button works in Firefox/Ubuntu, but not in Firefox/Windows.

  2. Pamela Dingle says:
    2010-04-21 at 9:45 am

    The Disable functionality is a joke. I’d have to disable it in 30 places, just to cover the devices and browsers I use a minimum of once a week. And how permanent is it anyway?

    The only acceptable way I see for this to happen is if I can opt-out at the identity provider such that they do not publish the XAUTH javascript on pages that I load in the first place, and therefore no extend call is made on any browser. I still have to opt out at every identity provider, but at least it’s a persistent, meaningful setting at that point.

  3. Eve says:
    2010-04-21 at 9:54 am

    Yeah, I’ve been discovering the limitations of disabling all morning. Sigh.

  4. Liz Fraley says:
    2010-04-22 at 5:56 am

    Camino/MacOSX also failed to disable. iPhone/Safari reported “xauth is unsupported”. Interesting, but it likely won’t last…and I’ll have to remember to check later (never good).

  5. Jean Kaplansky says:
    2010-04-28 at 10:00 am

    Win XP SP3:

    Google Chrome – successfully disabled
    Firefox 3.6.x – successfully disabled
    MS IE 7.0 – I got nuthin. No response from the disable button in any way shape or form.

    iPad Safari – Success (which is not what I expected since it’s not supported on iphone Safari at all…)

    Mac OSX 10.5.8

    Google Chrome – successfully disabled
    Firefox 3.6.x – successfully disabled
    Camino (one version back from current?) – nuthin. no response whatsoever

  6. Latrent says:
    2010-05-01 at 5:13 pm

    Instead of disabling it in every browser, edit your OS’s equivalent of the /etc/hosts file and assign it the localhost address.

    127.0.0.1 xauth.org

    After a reboot, no browser or application will be able to contact xauth.org for any reason. It might even bring up your local web server if you’re running it. (I’m not so I’m not sure.)