Hueniverse

Explaining the OAuth Session Fixation Attack

2009-04-23T00:37:16-07:00

There is a pretty good story behind this. That is, how we found and managed the OAuth protocol security threat identified last week. In many ways, the story is much more important and interesting than the actual technical details of the exploit.

For everyone involved, this was a first-of-a-kind experience: managing a specification security hole (as opposed to a software bug) in an open specification, with an open community, and no clear governance model. Where do you even begin?

But right now, I know you want the technical details.

If you are reading this, I assume you have a basic understanding of how OAuth works. If you don't please take a few minutes to read at least the first two parts of my Beginner's Guide to OAuth.

The first part will give you a general overview and second will take you through the user workflow. It is the workflow that is important here. The rest of the guide deals with security and signatures, but the content of these posts, surprisingly, is not involved in this attack.

I'll start with what this attack is not about; it does not involve stealing usernames or passwords; it does not involve stealing tokens, secrets, or Consumer Keys; in fact, no part of the OAuth signature workflow is involved. This is not a cryptographic attack. And it does not violate the principal of a user granting access to a specific application. All that remains intact.

You might think I am stalling, but it is critical for people to understand both what is broken, as well as what is still secure (that is, no known exploits identified). It is important because even after this is made public, there will be plenty of OAuth-powered services up and running and I want you to feel safe using them.

Understanding the exact details of security threats is important in order to prevent exploits and fix the specification. But it is equally important to know what is working well and can be trusted.

For example, many applications use OAuth for 2-legged requests that do not involve user authorization and are unaffected by this threat. As a community effort, a big part of our work is to build adoption and support for the protocol. We need to fully disclose threats, and also make sure the reputation of the protocol is not damaged by misunderstandings and speculations.

The identified threat is a session fixation attack, empowered by a social engineering attack. The basic idea is that an attacker tricks an application using an OAuth API (a Consumer) to give it access to someone else's resources (via an Access Token). The attacker never gets the Access Token itself, just the ability to use the application. But since the application has the Access Token, the attacker can use it to access the victim's resources.

The OAuth authorization workflow consists of three steps:

The user initiates the flow by requesting the application to access his resources. This triggers the application to request a Request Token from the provider and redirect the user to the provider for authorization.
The user signs into the provider and grants access to the application. If the user is educated about phishing attacks, he can verify that he is in fact giving his password to the provider and no one else.
After granting access, the user is redirected back to the application to complete the flow and enable it access to his data.

The only thing that binds these three steps together is the Request Token in the authorization URI and callback URI. In both cases, the call is not signed and easy to guess. The problem is, there is nothing at all to enable the consumer or provider to ensure that these three steps are performed by the same user. While the application can use cookies and other session management tools to ensure that the first and last step are performed by the same user, it has no way to make sure the middle step is the same as the first or last.

A normal OAuth Flow looks like this:

An attacker starts the process by using an application account and asking to initiate the flow, which results in the application obtaining a Request Token and redirecting it to the provider. At this point, the attacker stops and takes note of the Request Token included in the redirection URI. The attacker may also modify the callback but we will get to that later.

The attacker then uses social engineering to trick a victim into following that link (the authorization URI from the redirection). This can be as simple as a blog post with a review of the application, inviting people to try it out. When someone clicks on that link, they are sent to the provider to authorize access.

Since this is what he wanted to do, the victim will not realize that he should have started at the application itself, and will continue to sign into the provider. Because of how we train people to look for phishing attacks, even an educated user will notice that he is at the right place.

The provider will then ask the user to grant access, identifying the right application. This will increase the comfort level of the user, since so far, everything checks out. The right provider and the right application. But as soon as the user grants access, the attacker can construct the callback URI (from either learning how the application works or from the callback parameter provided in the redirection URI) and return to the application.

At this point, the attacker's application account is associated with a valid and authorized victim Access Token. Remember: the attacker does not have the Access Token or any of the secrets. It was never in possession of the Request Token secret, and it does not make signed OAuth requests. All it has is an application account associated with the victim's resources.

The Attack Flow looks like this (simplified):

Let's talk about callbacks a bit. OAuth includes an optional callback parameter allowing Consumers to set a callback when they send the user to the provider for authorization. Providers can implement callback support in a couple of ways:

Allow any callback at all.
Allow any callback within a pre-registered (and verified) domain.
Allow only a static pre-registered callback and ignore the parameter.
Not allow callbacks at all, requiring manual user action.

If the provider uses the first option, the attacker can simply change the callback. Remember, the authorization step is not signed, allowing the attacker to change the callback parameter. This will send the user to a page controlled by the attacker, letting it know when it can go back to the application and finish the job.

If the provider uses the second or third option, this becomes a race condition as to who will make it back to the application first: the attacker of the victim. Now, since the attacker has no way of knowing exactly when the user grants access, it will have to try multiple times until it works. It is up to the Consumer application to handle such brute force attacks properly by voiding the entire transaction. But this requires the application to expect and handle this case.

Another point to consider in the second option is that sometimes domains have an open redirector which will redirect a request based on a given parameter. For example, this is done to count how many people click on ads or outbound links. An attacker can use such redirectors to set the callback to a URI at the pre-registered domain, which in turn will send it to an attacker controlled site.

If the provider uses the fourth option, it is similar to the previous two, but the race condition becomes a lot easier since it will take the victim longer to go back to the application (no automatic redirection back). Also, in manual 'press here when done' cases, applications tend to allow multiple attempts because users make more mistakes. In such cases, the application will simply try to exchange the Request Token with an Access Token and will fail until the access is authorized by the user. If the provider doesn't void the transaction on the first failed attempt, it increases the exposure.

Now, we talked about the attack and we talked about callbacks. But that is not all.

Even if the attacker doesn't get to be first to return to the application or find out when access has been granted, the application may have a critical design flaw. Some applications use the identity of the user who started the flow when they associate the Access Token with the local account. What this means is that even if the victim is the one to return to the application, the application will still attach his Access Token to the attacker account because it will look up the Request Token in the database and use that information to continue.

If we put it all together, even if an application:

Makes sure to use the account of the user coming back from the callback and not that of the one who started
Checks that the user who starts the process is the same as the one who finishes it
Uses an immutable callback set at registration

It is still exposed to a timing attack trying to slide in between the victim authorizing access and his browser making the redirection call. There is simply no way to know that the person who authorizes is the same person coming back. None whatsoever.

And that's pretty much it.

To get you started thinking about a solution, a few community members are thinking about fixing this by adding an unpredictable callback parameter generated at the Service Provider to the callback URI on return. The Consumer will need this new extra parameter to exchange the Request Token for an Access Token, ensuring that the real user has to return to the application to complete the flow.

We'll meet back here tomorrow to continue talking about ideas on how to fix it with a protocol revision. Meanwhile, think about this for a bit, join the conversation on the OAuth mailing list, talk about it with your coworkers, or blog your thoughts.

Be safe.

Brian Eaton, Dirk Balfanz, and Chris Messina provided valuable feedback to this post.

Introducing 'Sign-in with Twitter', OAuth-Style "Connect"

2009-04-16T23:59:00-07:00

Yesterday Twitter released 'Sign-in with Twitter', the ability to use Twitter as a delegated sign-in provider for third-party websites. The cool thing about this new feature, which is part of their OAuth API beta, is that it is completely standard OAuth. No extensions, not secret sauce, and not another proprietary provider (yes, I'm looking at you Facebook).

It is Open done right.

With this small enhancement of the Twitter OAuth API, Twitter created a product that directly competes with Facebook Connect. The implementation details are significantly different (and there are some technical shortcoming on both sides), but there is little you can do with one and not the other. There is no reason why 'Sign-in with Twitter' cannot be used anywhere Facebook Connect is offered, including blog posts and activity streaming.

The premise of the new feature is simple. Twitter applications depend on Twitter data and services for their operation. They usually extend Twitter's functionality, or offer an improved aspect of the service (photos, search, recommendations, etc.). These applications exist, more than anything else, within the context of a Twitter account. Since they already depend on their users having a Twitter account, they should not need to force their users to create yet local another account for their service.

When Facebook introduced their Connect product, they offered sites two key features: the ability to use existing Facebook accounts for their own needs, and access Facebook social data to enhance the site. The value of Facebook Connect is to save sites the need to build their own social layer.

What Twitter is doing with 'Sign-in with Twitter' is very different. They are giving sites already tightly integrated with their service, a way to delegate authentication with practically zero cost. In other words, if you implement the new Twitter OAuth API, you get 'Sign-in with Twitter' for free. It is not about yet another layer, but doing more with that you've already got.

The new feature is designed to fill in the gap between Twitter's current API (using plaintext passwords) and their new OAuth API, which no longer lets users enter their password into third party applications. Many Twitter applications such as TwitPic use Twitter's API as a delegated authentication provider. The way this works is that they ask users for their Twitter username and password, and then use these credentials to make an authenticated API call. If the call is successful, they know the user is really who they claim to be and let them use the service.

'Sign-in with Twitter' offers these sites the ability to do this right. The sites will no longer need to handle Twitter passwords, store them, protect them, and deal with the legal consequences. But they will also get an improved user experience that will explain to users what is going on, and in most cases, will work smoothly with a single click.

Instead of the username and password text boxes, sites will use the new 'Sign-in with Twitter' button:

Is this Another Competitor to OpenID?

While many people will focus on the Facebook vs. Twitter aspects of this new feature, some will surely see this as another problem OpenID will need to deal with. This might sound like a perfect use case for OpenID, but it is not.

OpenID is often described as a single-sign-on solution, or "the last username and password you will ever need". OpenID is a federated authentication protocol - a protocol where users can use credentials from any compatible provider who can "speak" the OpenID protocol. But in this case, not any account will do. Twitter applications need Twitter accounts.

It is important to understand that there are two different kind of single-sign-on solutions: delegated and federated. All the recent comparisons between OpenID and Facebook Connect failed to appreciate this fundamental difference. Facebook Connect is a delegated authentication service, while OpenID is a federated authentication service. They might offer very similar features, but they are very different.

A delegated solution means that one site is simply outsourcing its authentication needs to another pre-selected site. If your site uses Facebook Connect, you are delegating your authentication facilities to Facebook. Visitors to your site cannot use any other accounts, only accounts from the vendors you have pre-selected.

A federated solution means that visitors to your site can use any account they have, as long as it is compatible. It makes no difference to the site which account is being used, as long as it can interoperate. At its core, OpenID is a federated solution because its most important feature is the ability to use any OpenID account with any OpenID-enabled service.

A good example is stores accepting credit cards. A store that accepts any Visa card is using federated payments - payments from any account that "speaks Visa". But a store that accepts only credit cards issued by a specific vendor, for example, a department store branded card, use delegated payments. The reason why you no longer see many stores accepting only their own credit cards, is because it is bad for business.

But not every OpenID implementation is federated, and this is the big dilemma OpenID has to resolve.

The question is, can users use any account they want? If a site uses the Yahoo! OpenID service by using the Yahoo! button:

but does not offer the ability to use other vendors, it is really just another delegated solution, even if it is powered by OpenID under the hood. In this case, OpenID becomes just a technical detail of the implementation, not part of its design.

Much of the recent discussion about OpenID usability centers around using brands as a way to make the service more usable. But the problem with this approach is that is takes away most of the federated value out of OpenID, leaving it simply as a common protocol to implement proprietary delegated services. When implemented this way, OpenID adds no real value to services with an OAuth API.

The question which solution to use for sign-in, OpenID or OAuth, is very much application specific. If you are building a brand new site that needs accounts, and want to leverage existing accounts from services such as Google, Yahoo!, and Microsoft, OpenID is a great option that will give your users a lot of flexibility. But if you are extending an existing service, implementing a specific API and building a site that has great dependencies on another service, OAuth gives you everything you need, for very little extra work.

It is all about using the right tool for the job.

Old Thoughts on Microblogging Business Plans

2009-04-05T06:30:00-07:00

It has been a year since I decided to put my startup Nouncer on hold and join Yahoo!. It has been fascinating to witness Twitter's renewed media attention and recent growth, and it has inspired me to go back to my old posts about trying to run such a business.

The following are three posts on the subject:

Waiting for Google

There are 2 main consumer-facing business models: membership fees and advertisements. Fees are nice if you can pull it off, but I doubt anyone is going to see a revenue stream from micro-blogging service fees anytime soon (Pownce offers bigger files for a fee). If one does it, the others will give it for free. This might change when the competitors have many users to afford giving something for free but then again, you can always count on Google to step in and offer even more for much less. The problem with advertisements is simple – micro-blogging is not web-centric. Most of the time, people use it on other connected devices such as mobile phones, PDA’s, or their instant messaging client...

Early Thoughts About a Microblogging Business

While archiving the documents used to plan and implement Nouncer, I came across the original document written a little over two years ago (with some minor more recent revisions). It details my service plan, ideas for patents and trademarks, the original name for the service ‘JabAbout’, and a long list of features. It also includes the initial thoughts on the architecture and technical challenges...

Playing with Numbers: A Microblogging Business Model

Building a business out of a microblogging service is not a trivial task. There has been a lot of chatter regarding Twitter’s eventual monetization, but so far the only people who made money off microblogging are the Jaiku founders when they sold the business to Google. I have written before about the difficulty of monetizing microblogging, but difficulty is something to overcome, not a brick wall. This model is an attempt to figure out the different options of running such a business...

Quick Weekly Recap

2009-04-04T20:04:36-07:00

This was a light blogging week with mostly short posts. They included an invitation to attend the upcoming Internet Identity Workshop, clarifications to help those implementing OAuth on the server side, announcement about OAuth being nominated for a Webware 100 award, call for action in the Open Web Foundation, and some advice on versioning specifications.

I will be in traveling to New York, New Jersey, and Virginia over the next 10 days. Hope to see a lot of my New York friends while I'm there.

On Versioning Specifications

2009-04-03T19:34:00-07:00

With a growing number of new specifications being published by first-time authors, I think it is important to pay attention to when should a specification carry a version number. For most people, giving a specification a version is a sign of forward thinking and planning for future revisions. But not every specification should have a version number.

There are no hard rules for giving technical specifications a version number. Note that I am focusing exclusively on technical specification, those with the clear objective of enabling interoperability. But there are some basic guidelines:

The specification itself must have a mechanism to indicate which version is being used. If the specification includes a protocol, there should be a parameter with the version number, or at least a default version in lack of such indication. If the specification includes a schema, that schema should have a clear namespace or version.
Seperate the document name from the protocol version. The specification name should not always carry a version, even when its protocol or schema have a version. A specification that does not modify the way a schema is interpreted or a protocol interoperates, does not need a version number. For example, there are multiple RFCs describing HTTP 1.1. While they differ in their language, they do not each carry a version number. Instead, they have unique names which are only used for referencing the documents, not the protocol.
Specifications that extend an existing versioned specification should bind themselves to that version and not come up with their own. For example, if you are writing an OAuth extension that is written against OAuth Core 1.0, don't version your specification seperately (unless it has its own seperate version parameter per guideline #1). Simply indicate that this extension is limited to specific versions of the core protocol.

Building the Open Web Foundation

2009-04-02T00:14:20-07:00

Next month will be a year since the work on creating the Open Web Foundation started. It has been 8 months since the initiative was unveiled at OSCON 2008, and six months since the legal entity was created and work began on the legal framework for specifications.

We accomplished a lot during this time. Not so much in hard deliverables, but in building industry-recognized momentum and starting to change the way individuals and companies think about community-driven specifications and light-weight standards. Over the past couple of months, members of this community have been invited as experts to talk to well respected and established standards bodies, and explain this work. This is not a small accomplishment.

Most of the current work is focused on delivering a legal framework communities can use to write specifications in a way that will allow large and small companies to use them. Adoption, after all, is what specifications are all about. We formed the Legal Affair Committee with individuals representing a wide range of positions, some their personal views while other of their corporate employer. The committee has been focusing on producing the first Open Specification Agreement document and we have a working draft that we hope can be finished in the next few weeks.

I strongly believe that in order for this organization to have a respected voice, it has to have some form of open government, that is more than just 8 self selected individuals. The Open Web Foundation board needs to vote before any legal document can be published as an official document. This means that as soon as the Legal Affairs Committee is ready to submit a document to the board, we need to have an elected board ready to ratify it.

It is also time to rethink the purpose of this organization and consider better aligning it with some of the expectations the community had when it was announced. I am not suggesting anything radical, but there are obvious needs that can be accommodated without betraying the original goals. I think the two needs: to put in place an elected board, and to realign the purpose of this entity, can be accomplished with one plan, by moving forward and establishing a foundation membership.

As the name suggests, this organization is about the Open Web, the platform the web is built upon. This includes specifications, technologies, ideals, ideas, and people. We have been focusing on a subset of the ground floor: specifications. But there are other areas where we could expand such as evangelism, education, resources, and building a home for people to discuss these topics.

We have a chicken and egg challenge. How to select the right membership before the goals are clear, and how to define the goals, without a larger membership. I much rather begin by increasing participation than having 8 people make decision. I trust that smart dedicated individuals coming together will figure out the common cause, and if they don't fit with the majority's direction, will step aside un-offended.

I am going to propose a plan, and after some discussion on this list, will ask the board to vote on it. I think it is absolutely essential that we debate this out in the open in the most inclusive way possible. However, since we have a legal organization with well-defined bylaws, it is important that we use that framework to cast votes and make decisions. It is also important we act quickly.

Please join the discussion.

OAuth Nominated for CNET's Webware 100 Awards

2009-04-01T15:51:25-07:00

OAuth was selected as a finalist in the Infrastructure & Storage category in the 2009 Webware 100 Awards. I consider this nomination as a recognition of the incredible accomplishments of the OAuth community and the record-breaking adoption of the OAuth Core 1.0 protocol. Voting is open until April 30th, so go vote...

Clarifying OAuth Requirements for Service Providers

2009-03-31T16:36:00-07:00

Its never good when specifications are read like the bible, where people find in it what they want.

Over the past few months I have been getting many questions about requirements in the OAuth Core 1.0 specification, as well as finding significant issues with existing implementations. I agree that the specification isn't clear on many of these issues, but until we have a replacement, I hope this list would help.

Nonce

Consumers are required to generate a unique nonce value for each request with the same timestamp:

"The Consumer SHALL then generate a Nonce value that is unique for all requests with that timestamp." (Section 8).

However, there is currently no requirement for the Service Provider to check or enforce the nonce:

"When verifying a Consumer signature, the Service Provider SHOULD check the request nonce to ensure it has not been used in a previous Consumer request." (Section 9)

For those not intimately familiar with RFC 2119, SHOULD means:

"that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."

There are plenty of places where APIs don't need to worry about replay attacks, the only attacks solved by checking the nonce. For example, requests over HTTPS or non-confidential read-only requests don't benefit much from using nonces. APIs for ordering pizza, on the other hand, do.

Developers must consider the threat model and security requirements of their applications, and if checking the nonce adds value, they should do it. However, this requirement is likely to change in future versions (making nonce checks mandatory).

Parameter Transmission Methods

OAuth defines three methods for including OAuth parameters in the HTTP request: URI query, form-encoded body, and HTTP Authorization header. Many providers assume that they can pick and choose which methods to support. This is wrong.

Now, granted, the specification does an awful job making this clear. First, it has some contradictions, and second, it does not use normative directives (MUST, SHALL, SHOULD, etc.) to define the required behavior.

The Consumer requirements, even though they lack normative directives, specifically calls for using one of the three methods:

"OAuth Protocol Parameters are sent from the Consumer to the Service Provider in one of three methods" (Section 5.2)

This implies two things: the Consumer must only use one method at a time, and can pick any of the three and expect it to work. If the server offers additional methods, they Consumer may use those as well:

"In addition to these defined methods, future extensions may describe alternate methods for sending the OAuth Protocol Parameters."

But then the specification contradicts itself:

"It is RECOMMENDED that Service Providers accept the HTTP Authorization header."

So what we have here is an implicit requirement for Consumers to use one of three defined methods, and allowing Consumer the freedom to use either one (with an order of preference defined), but allowing the Service Providers to omit HTTP Authorization header support. This is broken.

This problem has been made worse by the OAuth Discovery specification which made the methods a matter of configuration. Note that listing which methods are supported is not listed in the configuration documentation requirements of the core protocol.

For lack of better guidance, I would offer this:

Providers must support all three methods. Consumers should use the first method available to them from the list (in the order listed). If a Consumer request fails due to unsupported method, it should attempt making the request with another method. Providers should avoid coming up with new parameter transmission methods until this issue is resolved.

I expect future versions of the specification to require a basic set of methods from all servers, and would personally like to see the Authorization header as the primary method.

OAuth Parameters

During the specification development process, we had several discussions about parameter names and restrictions. OAuth parameters start with the 'oauth_' prefix, while server specific parameters don't.

The two main areas of confusion are:

What prefix should extensions use?
What should providers do with unrecognized parameters?

The specification offers a few hints:

"OAuth Protocol Parameters" are defined as "Parameters with names beginning with oauth_." (Section 3)

"Service Provider specific parameters MUST NOT begin with oauth_." (Section 4.2)

"OAuth Protocol Parameter names and values are case sensitive. Each OAuth Protocol Parameters MUST NOT appear more than once per request, and are REQUIRED unless otherwise noted." (Section 5)

Putting this all together, the specification allows extensions to define new 'oauth_' parameters. It only restrict server-specific parameters from using the prefix. In other words, if the behavior isn't server-specific (i.e. plays well with others, interoperable), it is acceptable and allowed.

However, such extensions are still restricted in their use of 'oauth_' parameters:

Parameters names and values are case sensitive
They cannot repeat
Are required unless explicitly noted otherwise.

So to answer the first question, extensions should use the 'oauth_' prefix (and not 'xoauth_' or other such proposals). Individual services should not use it to define their own, incompatible, proprietary extensions.

This provides us with the answer to the second question. Providers should ignore any 'oauth_' parameters they do not recognize. They should not fail the entire request just because it includes an unknown 'oauth_' parameter. They should however, include such parameters in the signature and verify they have not been tempered with.

Want more proof that this is the specification's intention? Section 10 defines a few error conditions:

Unsupported parameter
Unsupported signature method
Missing required parameter
Duplicated OAuth Protocol Parameter

Note that the first three errors are generic and talk about parameters in general, not just 'oauth_'. The last error is specific to 'oauth_' parameters. This is intentional. Note that there is no error for unknown OAuth Protocol Parameter.

OAuth intentionally includes a protocol version. This version is meant for two primary objectives:

Define the meaning of 'oauth_' parameters listed in the specification
Define the signature workflow

Any parameter undefined by OAuth is not allowed to change how the protocol works. It may add additional functionality but it will not affect how the core protocol is implemented. This is important because it means providers can safely ignore unknown parameters without introducing security issues within the core protocol.

The reason why I want servers to simply ignore unknown 'oauth_' parameter is because I expect new extensions to introduce just such parameters. If providers hard-code which parameters are valid today, they will create problems when new Consumer libraries add such support.

Internet Identity Workshop, the Identity Geekfest

2009-03-30T06:30:00-07:00

There are few events more productive than Internet Identity Workshop.

And few that I enjoy quite so much. I'm an engineer at heart, even though these I play a pseudo-lawyer and write specifications. While I enjoy the meta conversations about the social web, I love talking code. The real thing, like working with a group of people on a new XML schema using a whiteboard, or walking through use cases and designing protocols. Ultra-geek stuff.

IIW, now in its 5th year is the central event for the identity community which includes OAuth, OpenID, XRD, Discovery, as well as the political and social conversations about them. It has been the place where OAuth Discovery was first discussed and shaped, where LRDD was presented and got its initial momentum, where XRDS turned into XRD, and where Yadis and many other OpenID ideas and proposals came from. And this is just the stuff I obsess about.

The event is an unconference like BarCamp, where the participants set the agenda, and what you have to say is as important as what you came to listen to and learn from. If you care about this space, and find this blog interesting, IIW is a must.

The next event, IIW2009A (there are two a year, usually May and December), is May 18-20, 2009 at the Computer History Museum in Mountain View, California. With everything going on in the identity space, it promises to be a great and productive event, even more than past years. I will be there presenting the latest specifications, ideas, and developments in OAuth, Discovery, XRD, etc. and plan to get some work done.

For more information, visit the event site, and if you register by April 1st, the fees are greatly reduced. And don't forget to come and say hello.

Sunday Morning Cleanup

2009-03-29T00:17:31-07:00

I am working on some new designs for this blog, trying to transition it into a more persistent online resource for the subjects I care about: OAuth, Discovery, Open Web, and Microblogging. This will include a new look, custom pages for each topic, and the usual house cleaning.

The first step was to review every blog post I wrote over the past two years and recategorize them. The idea is to make the categories a useful tool to stay up-to-date with the topics you care about. On the right side of this blog you will find the 'Categories' tool which shows (in font size) how prominent this topic has been over the past two years. It also provides a link to the posts in each category.

Here are some of my categories: