Facebook, OpenID and Decrypting SSL

I was excited to see Facebook (FB) supporting login via OpenID (FB is a relying party), and I decided to give it a whirl. Here I list the results of my investigation, which describe the odd use of OpenID, as well as my wire level analysis which I hope you find informative. This post doesn't go into details of how OpenID works, if you're interested in that leave a comment and I'll put up such a post.

FB uses OpenID in a way I've never seen before. In the "common" OpenID login model, you get a login page that shows you some sort of login via OpenID buttons. When you go to the FB login page there is no login via OpenID.   This confused me, but I went to my FB account settings and linked my google account to my FB account. (Attempts to link my MyOpenID account failed with a strange error message). 

After some trial and error I realized that if I was logged into my Google account and went to the FB page than I'd automatically get logged into FB.

Debugging SSL via Charles

I needed to look at the network layer to see what is going on. Some of you may want to investigate this with tshark, but much of the traffic runs over SSL, since we don't have the server certs that's a dead end.  Instead you should fire up Charles, an http(s) debugging proxy.  Charles can sit in the middle of your SSL connections, and relay SSL traffic by presenting ‘untrusted certs’. Visually it looks like this:

 

 

How Facebook OpenID login works at a high level:

1. Facebook login page contains javascript that tells your browser to login to Yahoo and Google via OpenID
2. Your browser tries to connect to Yahoo and Google OpenID Endpoints, which post results back to FB
3. If the login via OpenID succeeds, and you have a linked account you get logged into FB.
4. If the request fails or there is no linked account you see nothing.

The Facebook OpenID approach:

If you’re logged into your Google account, and then go to the FB page, you’ll be automatically logged into FB, otherwise nothing happens. This is by design as mentioned here.

This is an interesting implementation of login via OpenID. It has the following advantages:

• It’s immune to phishing
• It requires no UI when you’re logged into your OpenID provider

At the same time there are some big disadvantages:

• There is a privacy leak as all OpenID providers supported by FB now know you’re trying to access FB and at what frequency and from what client
• FB needs to connect to every OpenID provider that exists on login.
• FB doesn’t allow you to specify which account you want to use to login if you have multiple.
• You can’t link your FB account to OpenID by logging into OpenID
• It’s hard to discover login is failing because you aren’t signed into an OpenID account.

I look forward to seeing how FB moves this forward.

How Facebook OpenID login works at a protocol level:

This is probably too geeky for most but I find it interesting so I’ll share it. Comment if you’d like to see more of this sort of analysis.

The first column is the return code 200 is success, 302 is a redirect. Second column is the DNS name, and third column is truncated request.

1) Facebook login page contains javascript that tells your browser to login to Yahoo and Google via OpenID

// Connect to FB
200    GET    www.facebook.com   

// JavaScript connects to FB Analytics system telling them what we're trying.
200    GET    pixel.facebook.com    /ajax/openid/metrics.php?metric=requestSent&immediate=true&context=background_login&openid_url=http%3A%2F%2Fyahoo.com%2F&asyncSignal=779    
200    GET    pixel.facebook.com    /ajax/openid/metrics.php?metric=requestSent&immediate=true&context=background_login&openid_url=http%3A%2F%2Fgmail.com&asyncSignal=9380    

// 2) Javascript tries to connect to Yahoo and Google OpenID Endpoints, which post results to: www.facebook.com/openeid/receiver

// 2.1) HTTPS connection to Google OpenID
302    GET    www.google.com    /accounts/o8/ud?openid.claimed_id=…

// 2.2) HTTPS connection to Yahoo OpenID
302    GET    open.login.yahooapis.com    /openid/op/auth?openid.claimed_id=…

// 2.3) Yahoo OpenID telling FB it failed.
302    GET    www.facebook.com    /openid/receiver.php?provider_id=1923581983856&openid.mode=setup_needed&…

// 2.4) Google OpenID telling FB it succeeded.
302    GET    www.facebook.com    /openid/receiver.php?provider_id=1010459756371&…openid.sig=…

// FB telling itself the Yahoo login failed (this gives FB the chance to add new paramters server side, which it does)
200    GET    www.facebook.com    /openid/receiver.php?provider_id=1923581983856&…

// FB recording stats that the yahoo login failed.
200    GET    pixel.facebook.com    /ajax/openid/metrics.php?metric=requestCanceled&immediate=true&context=background_login&openid_url=http%3A%2F%2Fyahoo.com…

// FB telling itself the Google Login Succeeded (this gives FB the chance to add new paramters server side, which it does)
200    GET    www.facebook.com    /openid/receiver.php?provider_id=1010459756371 …

// 3. If the login via OpenID succeeds, and you have a linked account you get logged into FB. (FB Logging in)
302    POST    www.facebook.com    /login.php    
200    GET    www.facebook.com    /     

The actual request if you’re feeling really geeky:

// More Details 2.1) HTTPS connection to Google OpenID

openid.claimed_id    http://specs.openid.net/auth/2.0/identifier_select
openid.ext0.mode    fetch_request
openid.ext0.required    email,first_name,last_name,country,language,dob
openid.ext0.type.country    http://axschema.org/contact/country/home
openid.ext0.type.dob    http://axschema.org/birthDate
openid.ext0.type.email    http://axschema.org/contact/email
openid.ext0.type.first_name    http://axschema.org/namePerson/first
openid.ext0.type.language    http://axschema.org/pref/language
openid.ext0.type.last_name    http://axschema.org/namePerson/last
openid.identity    http://specs.openid.net/auth/2.0/identifier_select
openid.mode    checkid_immediate
openid.ns    http://specs.openid.net/auth/2.0
openid.ns.ext0    http://openid.net/srv/ax/1.0
openid.ns.oauth    http://specs.openid.net/extensions/oauth/1.0
openid.ns.ui    http://specs.openid.net/extensions/ui/1.0
openid.oauth.consumer    www.facebook.com
openid.oauth.scope    http://www.google.com/m8/feeds/contacts/
openid.realm    https://www.facebook.com/
openid.return_to    https://www.facebook.com/openid/receiver.php?provider_id=1010459756371&protocol=http&context=background_login&request_id=1
openid.ui.icon    true
openid.ui.mode    popup

// More Details 2.4) Google OpenID telling FB it succeeded.
provider_id    1010459756371
protocol    http
context    background_login
request_id    1
openid.ns    http://specs.openid.net/auth/2.0
openid.mode    id_res
openid.op_endpoint    https://www.google.com/accounts/o8/ud
openid.response_nonce    2010-10-14T06:07:08ZPY_ztwISRBSIzA
openid.return_to    https://www.facebook.com/openid/receiver.php?provider_id=1010459756371&protocol=http&context=background_login&request_id=1
openid.assoc_handle    ...
openid.signed    op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ns.ext2,ext1.mode,ext1.type.first_name,ext1.value.first_name,ext1.type.email,ext1.value.email,ext1.type.language,ext1.value.language,ext1.type.last_name,ext1.value.last_name,ext2.scope,ext2.request_token
openid.sig    oCFFt53s1j4rD7kGOE8x1ycZMfU=
openid.identity    https://www.google.com/accounts/o8/id?id=...
openid.claimed_id    https://www.google.com/accounts/o8/id?id=...
openid.ns.ext1    http://openid.net/srv/ax/1.0
openid.ext1.mode    fetch_response
openid.ext1.type.first_name    http://axschema.org/namePerson/first
openid.ext1.value.first_name    Igor
openid.ext1.type.email    http://axschema.org/contact/email
openid.ext1.value.email    ...
openid.ext1.type.language    http://axschema.org/pref/language
openid.ext1.value.language    en
openid.ext1.type.last_name    http://axschema.org/namePerson/last
openid.ext1.value.last_name    ...
openid.ns.ext2    http://specs.openid.net/extensions/oauth/1.0
openid.ext2.scope    http://www.google.com/m8/feeds/contacts/
openid.ext2.request_token    4/bv0-X57lya6ESvrvYG3pQiAGuSzn
openid.ns.ext3    http://specs.openid.net/extensions/ui/1.0
openid.ext3.mode    popup

Read More

Taskmgr to PowerShell: Kill A Process

You know the drill, some app freezes. You try to close it, that doesn’t work.  You fire up taskmgr, sort by name, type in the name, and then hit the delete key to kill the process.  Easy with powershell:

Get-Process | ? {$_.Name -eq "firefox"} | kill

The real power here is the composability of powershell, for example you could also debug the process.

Get-Process | ? {$_.Name -eq "firefox"} | Debug-Process

Or if you’re not sure what’s going to happen you can always pass the –whatif qualifier:

PS C:\Users\igord\Downloads> Get-Process | ? {$_.Name -eq "firefox"} | Debug-Process -whatif
What if: Performing operation "Debug-Process" on Target "firefox (8204)"

Happy Powershelling

Read More

Photo Fusing in Windows Live Photo Gallery

On my camera, I can make the self timer take 8 photos 2 seconds apart. This leaves me with a 1 in 8  chance of getting a good picture. However, using the photo fuse tool in Windows Live Photogallery, I can do a visual merge of the photos to pick my favorite part of each photo.  For example, I used the following source photos:

To created this composite photo, (To which I also applied straiten and auto fix)

That’s seriously cool!

Read More

PowerShell: Tab Complete History

If you haven’t tried PowerTab or haven’t tried PowerTab recently stop, and check it out .  PowerTab makes powershell a real pleasure to use, and might be the feature that gets me over the powershell dip.

Once you’ve installed PowerTab , you can history complete by starting your command with a #, typing some letters and then hitting tab. For example:

Read More

Batch to Powershell: Title

If you try to set the title of the window in powershell, 'title' won't work; but you can set the title using the $host object

 PS C:\> $Host.UI.RawUI.WindowTitle = "Donkey" 

You can also mess with other fun things like colors eg:

PS C:\>  $Host.UI.RawUI.BackgroundColor = [ConsoleColor]::Red 

If you're a big title user and have title burned into your muscle memory you can always create function called title e.g.:

 PS C:\Temp> function title ($t) {$host.UI.RawUI.WindowTitle=$t }
PS C:\Temp> title Donkey2 

Have fun moving into powershell.

Read More

Powershell: Returning ScriptBlocks and Closures

Powershell lets you return scriptblocks (aka anonymous functions) from functions, for example:

function generateAdder ($n)
{
    {
        param ($x)
        $n+$x
    }
}

 
PS C:\> $add4 = generateAdder 4
PS C:\> & $add4 7
7

If you've used languages with closures you'd have expected to get back a function that adds 4 to a passed in value. You'd expect that because $n=4 was in lexical scope when we created the scriptblock to be returned. Recall powershell is dynamically scoped so we don't need to bind ($n) to a lexcial location, instead we can pick up $n from our current environment:

PS C:\> $n = "Hello"
PS C:\> & $add4 7
Hello7

What if you want to instantiate a closure with powershell instead? Luckily someone thought of that and you can do:

function generateAdder2 ($n)
{
    {
        param ($x)
        $n+$x
    }.GetNewClosure()
}

PS C:\> $add4 = generateAdder2 4
PS C:\> & $add4 7
11

Leave a comment if you use these features, I’m curious what you’d use them for.

Read More

Batch to Powershell: dir /s

I often go looking for a file in batch, aka

c:\Program Files (x86)>dir /s fsi*
     Volume in drive C has no label.
     Volume Serial Number is 8EDE-D64E

     Directory of c:\Program Files (x86)\Microsoft F#\v4.0

    03/19/2010  02:02 PM           230,216 Fsi.exe
    09/30/2009  08:08 PM               158 Fsi.exe.config
                   2 File(s)        230,374 bytes

Unfortunately this doesn't 'just work' in powershell. A quick search on the internet shows in powershell 'dir /s' becomes 'dir -r', but the following doesn't work either:

PS C:\Program Files (x86)> dir -r fsi*
PS C:\Program Files (x86)>

What's going on? Let's check the help:

PS C:\Program Files (x86)> help dir

NAME
    Get-ChildItem

SYNOPSIS
    Gets the items and child items in one or more specified locations.


SYNTAX
    Get-ChildItem [[-Path] ] [[-Filter] ] [-Exclude ] [-For
    ce] [-Include ] [-Name] [-Recurse] [-UseTransaction] []

    Get-ChildItem [-LiteralPath]  [[-Filter] ] [-Exclude ]
    [-Force] [-Include ] [-Name] [-Recurse] [-UseTransaction] []

Ahh, path and filter are two separate arguments in powershell. This means we get 2 choices.

A) Pass a path to the dir command (pass ‘.’ for current directory):

PS C:\Program Files (x86)> dir . fsi* -r

    Directory: C:\Program Files (x86)\Microsoft F#\v4.0


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         3/19/2010   2:02 PM     230216 Fsi.exe
-a---         9/30/2009   8:08 PM        158 Fsi.exe.config
PS C:\Program Files (x86)>

B) Explicitly pass the -filter argument name (which we can abbreviate to -fi)

PS C:\Program Files (x86)> dir -r -fi fsi*


    Directory: C:\Program Files (x86)\Microsoft F#\v4.0


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         3/19/2010   2:02 PM     230216 Fsi.exe
-a---         9/30/2009   8:08 PM        158 Fsi.exe.config    
PS C:\Program Files (x86)>

OK you’re thinking who cares, I can still do dir /s faster in batch? Ah, but you can’t do this:

 PS C:\Program Files (x86)> dir -r -fi fsi* | Where-Object {$_.Length -gt 200KB}


    Directory: C:\Program Files (x86)\Microsoft F#\v4.0


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         3/19/2010   2:02 PM     230216 Fsi.exe
PS C:\Program Files (x86)>

Have fun, and remember read the docs when things don’t work as you’d expecxt:)

Read More