Slashdot Mirror
Will Facebook Become the Net's SSO?
lordDallan writes "Simson Garfinkel at MIT Technology Review muses on the idea of your Facebook account becoming an 'Internet Driver's License', ruminating on the idea of an individual's Facebook login becoming their single sign on for the web. I say NO THANKS!!"
Coolest. Name. Ever.
Just because you use it as your login, does not mean you have to use legitimate information to sign up. Get with the program.
so it's fine with me. The chumps will be lining up.
My single-site login would be the sound of silence, as I have no Facebook account.
...but I kind of do now.
I'm still not using Facebook.
If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven:
1: Ability to have two factor authentication. OpenID isn't perfect, but one can use a VASCO token with it. The cream of the crop would be SecurID tokens. Of course, using SMS or apps on Android/iOS/BlackberryOS/etc. would be useful too.
2: If a site asks for authentication via FB, a way to ensure that the login page is genuine. PayPal is good at this. I worry about people getting spoofed by a SSL page with a FB login that isn't really from FB proper.
3: Better password recovery in case tokens get lost/stolen. At the minimum, better questions than "what is your dog's name?" Of course, the answers to these are stored as mentioned in #4 here.
4: Solid password storage. Crypto 101 here: You never store a password. Ideally, you never store a result value. What you store is some known text encrypted with the password hash (hashed a number of times to slow down brute forcing). TrueCrypt's password mechanism is the best out there.
5: A third party vetting this security mechanism. This doesn't need to be FIPS compliant (it should be though), but at least have some validation from an independent source that the authentication is done right, the data center is secure, etc.
6: SSL with all contact throughout the authentication process. This is a basic thing, but for performance reasons, sites don't like using SSL unless forced to.
7: Ideally, posting the SSL keys on some other source, so one can tell if a CA is spoofing the cert or not.
8: It's corny, but consider a unique login picture per user that is used at some sites, Yahoo being the most widely used. This way, when you enter your username, if you don't get the picture, you likely got phished.
9: Store passwords of unlimited length. I've seen too many sites which ignore any characters after the eighth one.
10: Have the ability to turn off third party logins either temporarily or permanently. For example, if one is going on vacation with no Internet connections, the ability to disable SSO logins until they come back is a solid security measure.
Getting tired of facebook and the attention whores who live there. Now they want it to be an SSO. Hey let's put all our eggs into a single basket, make everything depend on this single site that we don't actually control that can delete our accounts or pull its content anytime they want. Oooh ooh, and you surrender all control of anything you upload to it as a bonus which you'd know if you actually read its ToS/privacy policies! What could possibly go wrong if we used this as our SSO? Not a damn thing that's what. Proceed. Carry on. When it blows up in your face or an outage proves to you why over-reliance on a single site is a Bad Idea(tm) you'll understand why the rest of us didn't want to.
There's nothing novel or technically interesting about Facebook. It is not the be-all and end-all of useful tools. It's a way to build a vanity page for people who are too lazy to learn HTML. The appeal to lazy stupid people who hate learning something new is the only reason it became known to the mainstream popular media. That's all it is and ever was. End of fascination. Can we stop trying to find uses for it that have nothing whatsoever to do with its intended purpose? I mean hammers make wonderful paperweights but they're a lot more useful for driving nails.
I look forward to the day when conscious thoughts will be relegated only to those with thought licenses. Everyone else will be given a continuous IV drip of Lunesta.
Hehe, and we will look fondly back on the days when we thought having an embarrassing DMV picture on your driver's license was a problem.
I don't know if we could honestly implement this in any serious way. I know that 90% of what I post to Facebook is little more than crap, lies, and flamebait to prank my friends on the internet. There's nothing like watching one of your good buddies get all worked up over a Youtube video that doesn't really mean anything. Most of my FB contacts are aware of the nature of my profile, and, therefore, take my senseless BS tongue in cheek so it works out okay. If that profile starts being used as some sort of license (to do what exactly, access internet content?) then that license is going to be issued to a person that is fundamentally different in all dealings, social or otherwise, than the person that I am face to face, or, hell for that matter, different than even my Slashdot user account.
One of my coworkers likes to say that the thing people tend to forget is that the internet isn't real. I would say that goes doubly so for user made pages like Facebook, where you can post whatever you want after a healthy dose of Photoshop, trolled Wikipedia references, and sketchy video editing techniques.
Motorcycles, Robots, Space Gossip and More!
Following RSS feeds to various tech, entrainment and news sites and various links out from them has shown an alarming increase in my FB account effectively logged in to sites I've never been to before. I've no idea what kind of tracking the host site has and what level of info FB's APIs are giving them. Hmm, no thank you, but thanks! Seeing this alarming trend finally gave me the drive to disabled the FB account. Funnily enough, I've not missed it and no longer bother wasting time viewing irrelevant posts from "friends".
Last I heard there were over 500 million Facebook users, including something like 85% of everyone in the united states.
I've found that when I talk to younger people now and we will exchange contact info, they don't want my email address. They want my Facebook contact, which I don't even *have*, and then they look at me like I'm from Mars. Who doesn't have a FB page these days? It's like not having a computer, almost, as far as they are concerned.
Increasingly FB is becoming the de facto standard way for people to communicate online. Do I like that? Not really, but that doesn't make it any less true. People keep in contact with friends, family, professional contacts, and more on FB. For better or worse, that's the reality of it.
11. Allow multiple accounts/personalities. Currently Facebook's terms of services do not allow this, and this is a must for an internet SSO in my opinion.
If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven
So we can pretty much assume that people will sign up for this by the million...
Microsoft issued me a Passport in about 1995.
It gets me into everything...that Microsoft controls that links up with it. Which is to say, a lot of stuff I haven't logged into since about 1995.
It's not like there have ever been privacy concerns about FB, and it has never sold us out to advertisers (or anyone else for that matter), right?
Web 1.0 didn't sell much of anything; it was OUR web. Web 2.0 is when the corporations took over.
Free Martian Whores!
"...whether the Internet needs an "identity layer"—a uniform protocol for authenticating users' identities..."
Supplied by a top-5 candidate for privacy destruction? So we've had big computing companies battling it out to be the Web Gatekeeper, and they want to go "C-Other-Give it to Facebook" ?!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
I am posting anonymously because he knows me and I know him
Simson is brilliant and understands technology well, but he is one of those people for whom you "have to hold the bus" as another article puts it.
He tends to get too excited about technology and he misses many of the human factor issues.
For example here he gets all excited about using Facebook as a form of identification, but then he points out that Facebook is very quick to revoke your account. What good is identification if it can be revoked? If it really is "identification" then everyone needs to have it. Hey Simpson, did you forget about that?
The entire user-base of the Internet actually includes a significant number of people with clue. They are not going to go for this. So, a SSO for the clueless? Maybe, but nothing approaching the "driver's license" bar for credibility.
HELL NO
NO.
No, no, no, no, no, NOOOOOOO NO.
NO!!!!
I'd argue against this, but it's just such a giant pile of fail I don't know where to start.
How about this; like hell am I handing Facebook access to every other account I own.
Did I mention... NO?
Why the hell would you give a privately owned company, based in a single country, the right to hold Internet users' single login "license"? Why? Even with the all those features you require.
That you would even consider allowing any entity (especially FB) to be the chokepoint for internet access means you should have your internet drivers license revoked, your internet driving privileges suspended indefinitely and your peepee should be whacked. Hard. Please turn your computer off, go away and don't come back.
~ Posting A/C ever since /. mods went to shit
Did't Microsoft already try this idea, but the other social networking sites have just left them in the dust. This is almost like Microsoft's VM's . When I heard of that I said, yeh we call that time sharing and we had it in the early 70's with Mini Computers. Now that micro processors grew into that power footprint, they re-discovered an old technology. History does repeat itself in a never ending spiral. One hopes not a death one.
The idea that it might become in any way necessary is ridiculous.
That would kind of be like some one deciding that all tolls should now be paid by text messaging. Yeah, a lot of people text while driving, but not those that know what they are doing. You don't empower an idiotic action.
excitingthingstodo.blogspot.com
Seriously? On what planet do you live in which anyone with even a quarter of a clue would entrust their entire authentication service to Facebook?
You want single sign on? Its already there. Its called Kerberos, when coupled with a proper DNS setup it provides global SSO, in a secure manner, without handing it all off to one company that everyone has to depend on and everyone gets fucked when they break or get hacked.
Browsers support Kerberos.
Many apps (at least the ones where security actually matters) support Kerberos.
Its cross platform.
It requires practically 0 setup for a user NOW and with even slightly better application integration it can be brought down to 0.
It doesn't require that I trust people trying to authenticate me with my password. If I want to login to Facebook using my work user account, Facebook never gets my authentication tokens or anything even remotely resembling them, they just get a ticket we share for that session.
Its tried and true and was designed for this purpose.
Again, it doesn't depend on any one provider, it works the way the net was supposed to work.
Kerberos is the net's SSO, its just ignorance like this article and companies who want to keep you locked into their systems are trying hard to ignore it.
We already have SSO, no one uses it.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
This would be a very bad thing, for so many reasons.
I created a FaceBook account just to prevent others from doing so with my name, with no intention of using it. I never posted a thing, never "friended" anyone, never engaged in any activity whatsoever. Yet all of a sudden when I visit unrelated sites, I'm being greeted by the Facebook account name in various banners, etc. through Facebook's tracking. Deleting the account was a nightmare. I've had to use AdBlock and other anti-spyware software to block *.facebook.com, and I'm sure that even that is insufficient. Facebook has a profile on me, and you just and simply cannot opt out.
In absolute seriousness. I'd sooner trust Ballmer or Ellison than Zuckerberg, and I'd rather not have to trust any of them.
Everybody gets what the majority deserves.
Way overcomplicating things...
Add RSA key generation and X.509 issuing as standard on all browsers. Provide easy tools for copying these keys & certificates around. Present them when connecting to a web site. Bingo, website knows you're the same person that last presented that certificate, in a secure fashion, with no/minimal user interaction required.
Oh, and the remote site can't fake your credentials from what you sent them.
I wish people would stop thinking this is useful.
Any phishing site worth its weight in salt will simply pull in your picture from the real site and display it to you.
I've created example sites to demonstrate this very issue with Bank of America's system which does this.
The picture is essentially public information since you don't have to actually authenticate in order to see it so anyone can see it and redisplay it too you.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Is it really that much work to expand the acronym SSO so people know what it is?
I don't know what's worse, having a web SSO service offered by a for-profit, or having one operated by the government.
It won't become the internet's SSO, simply because it requires way too many companies to willingly put way too much power into the hands of a partner that probably does not have their interests at heart. Microsoft already tried a passport years back.
At best, it will become a secondary feature on some websites, but not a required one.
I don't even trust OpenID, much less Facebook. Plus, I'm not going to let a host of important accounts be compromised by a single sign in -- it would be fine for forums and the like, but not anything of even moderate importance.
when a site I never visited before gives me a personal welcome.
NOT.
Privacy is terrorism.
I thought that's what Google was already going for. They practically own search, and my email, most of my video consumption, and my cloudified docs. If someone ever releases a google tablet, I'll probably wind up worse than those rabid Apple fans.
Why the hell would you give a privately owned company, based in a single country, the right to hold Internet users' single login "license"? Why? Even with the all those features you require.
Because Facebook is a magnet for fucktards and attention whores who don't use logic like you just did. They're sensitive about that in fact and will probably feel some serious butthurt and hate you for pointing out that there are serious flaws in this scheme. They just want to feel popular and special like Mommy always told them they were and you're a big meanie for having a grasp of the obvious and asking questions like "why". You might as well ask a Scientologist why they are a member of Scientology, you'll get an answer that makes about as much sense. They desperately need to feel like they are part of a big bandwagon and they need to feel like the bandwagon gets shiny new rims every now and then so they keep trying to find new uses for the site that provides them a phony sense of self-worth. It's sort of like the people who think the gossip covered by Entertainment Tonight is important and significant and deep while those with two brain cells to rub together wonder why anybody gives a shit about any of it.
The better to track you with *cue evil laugh*
Erm... nearly all of that can be done with OpenID/OAuth. Why have a single point of failure when we don't have to?
Don't thank God, thank a doctor!
I saw a video of a talk Ballmer had given about a year ago, that was linked on Slashdot. One of the things he said in there was that he and people of his generation are a lot more reluctant to give their personal information out on line, but that his son has no issue putting whatever out on facebook or twitter. The problem is, Zuckerberg is of Ballmer's son's generation (so am I, although I don't fit the mould) and has no problem asking for people's personal information.
I think one of the reasons that MS always seems "late to the party" with this sort of thing is that they just don't think that way -- they come from an age where products are things, and it was revolutionary that bits of magnetic material would be considered a product. So yeah, Ballmer or Ellison, while they may be pretty ruthless and cut throat as businessmen are at least old school enough that the current trend doesn't really seem like a great idea to them as much.
That's my interpretation of it, though. Your mileage may vary.
It seems obvious that this is the way Facebook has begun to position itself. It has increasingly encouraged the integration of its features with external websites while simultaneously removing features that allow external sites and applications to integrate with them (boxes and tabs). They already provide an API for sites to use Facebook logins for authentication.
It's either rather short sighted or an extremely wise move. I'm not as concerned about Facebook as some but personally, I hope it fails.
...I, for one, do NOT welcome our new facebook overlords.
He who knows best knows how little he knows. - Thomas Jefferson
I'm sure they dream of it (or will now), along with every other scheme/scam they've dreamed up, but it Ain't Gonna Happen.
They're riding high right now, on top of a giant bubble. All that means is when it bursts, they have that much farther to fall, taking all their users along with them.
One would think people would learn to stop putting all their eggs along with everyone else's into one giant basket, but I guess it speaks volumes as to the population of stupid people out there.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
Personally, I'd never want one entity to have the keys to the kingdom. Not MS with Passport/.NET, not FB, not OpenID, nobody. I'd rather use passwords that can be memorized, a password list stored on my smartphone, or passwords stored in Firefox. I rather pack my own parachute than have not just my ID from FB connected with tons of sites, but possibly my password.
However, if people want a SSO, with their eggs in one basket, lets at least have the basket made from something stronger than crepe paper strips and a generic white glue.
This is already happening where sites depend on another for authentication. If you want Cydia to recognize you and allow you access to purchased apps, you have to authenticate from Google or FB. Someone hacks the account that the Cydia stuff depends on, they can lock a person out of hundreds of dollars of purchased items, or even possibly rack up significant charges if an Amazon login is tied in with that.
Ideally, if a website is constructed from scratch for others to use it as a SSO, it should have not just top notch security (goot luck with this, as most PHBs view security as having no ROI), as well as allow for multiple personas with no way that subscriber sites, either by ad cookies, Flash shared objects or other means can tie the personas together. If a site can't offer this, they at least need to be able to deal with multiple users from the same person.
In fact, if they spent half the time they did on that idea instead convincing people to use better browsers and pay attention to the address bar and SSL warnings...
Don't thank God, thank a doctor!
Throwing this out there, what if I make a multiple FB accounts for myself across different emails? What about a FB account for a person who doesn't exist? What if I made one for my dog? What if I say it's for my dog, but it's only GIS pictures of dogs that I found, what then? If this "internet license" is of any practical importance at iall, it would be laughably trivial to just generate as many of these "licenses" as you want. I see this proposal and I just see massive security flaws.
FB as any sort of "license" can't be anything other than a colossally bad idea.
Out of curiosity, why don't you trust OpenID? What is there to trust?
Don't thank God, thank a doctor!
But have slashdot id, will that do ?
So some academic at MIT has "re"discovered the Microsoft Passport, huh? Microsoft wanted a piece of that action over 10 years ago. It didn't work. Everything old is new again... to some people anyway.
Seven puppies were harmed during the making of this post.
facebook is basically the "new aol" (i.e. the new home of clueless masses of newbies, morons and idiots)... so if anyone should be DENIED an "internet drivers license" it should be anyone with a facebook account.
12: Allow registered sex offenders to have Facebook accounts, otherwise they'll be shut off from logging in anywhere on the 'net.
Web 1.0: some guy uploads content, everyone else just watches quietly as if it were TV.
Web 2.0: some guy uploads a set of scripts, which receive and display content passed contributed by end users.
The big money takeover is just a fact of life. All of the older media had their own time before big money; just because George Lucas can top the charts by passing gas into a microphone doesn't mean the common producer can't make his own movies.
Especially considering that FB is one of the most unethical companies out there.
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
Given their *standards* for security and the model that everything should be visable by everyone, this brakes the basic rules of security. I for one would never trust FB with my private info, let alone a SSO password.
Reality will only be available as a facebook app.
Seriously.
It's in the final stages of a social networking site: where the investors, including some big outside investment firms, try to "monetize" the user base by pulling out all the stops with ads, apps, and selling people's personal information. All that needs to happen is some plucky college kid making his own social networking site, just for his friends on campus, as a way to stay away from all the sillyness of Facebook, and Facebook will collapse within a couple of years. Just like MySpace did.
I am officially gone from
Client cert security is great in that respect. A website can keep track of the cert ID by itself, and it doesn't really matter what the CA says, wrong cert == no access. Plus, no passwords are ever exchanged, so all a blackhat can do is just grab your public key, and hope for a quantum computing breakthrough.
The downside of client cert security are two factors: First, one doesn't want to tie all their stuff to one cert, so one needs to have the ability to make multiple certificates. Second, is moving the certs in a secure fashion from place to place. If this isn't done right, the blackhat can slurp up the decrypted private key material, or tell a smart card to do signing/decryption for it, and do a MITM on the victim's computer.
One of the best proposals I've seen on /. for authentication would be a little bit awkward, but beats passwords. Enter your username at a site. The site presents a serial number. The user selects the serial number, signs it with their PGP/gpg key, and pastes the signature. The server validates the file against the key and grants/denies access. With this method, the server doesn't need to maintain much state (other than the serial number to prevent replay attacks), and no sensitive material is exchanged.
*** Seconded. Most websites (eg, slashdot) do not need to be tied to my "real" self, but rather just a unique id. I will NOT subscribe to an online verification system that always gives my full identity. I don't do it in real life, I certainly would never even consider it for every website that decides that I need to register to look at their stuff.
Dont' most users just choose the same username and passwords for all their accounts anyway. ?
And would it be a true SSO, that manages the "you are logged in now" state, or that every site would just ask you to login using your credentials every time.
What was the first SSO? Wait a minute, what does SSO even mean?
It's called OpenID, http://www.openid.net./ move along, nothing to see here.
Never say never. Ah!! I did it again!
How about "My Ass!"
Or "What's dumbshit for "HELL FUCKING NO" you asshole?"
Or "What kinda goddamn drugs are YOU on?"
Seriously. What sort of intellectual cripple actually thinks (and I use the term forgivingly) using a known privacy offender and security whipping boy like Facebook as a single-sign-on?
Fuck Single Sign-On. It's single point of failure.
Chas - The one, the only.
THANK GOD!!!
Hehe...."Bailiff, whack his peepee". I use that phrase all the time. Nice to know I'm not the only one.
The teachers will crack any minute, purple monkey dishwasher.
no
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I am all for Facebook being *other* people's single Internet sign on, as that will provide me with endless amusement.
I don't have a Facebook account. I have ten Facebook accounts, all of which will be abandoned for roughly ten new ones in a month or two. Seriously. That's how I use Facebook.
Why?
To put it succinctly: Out of convenience
the answer to practically every question phrased like this is no.
"It is a mistake to think you can solve any major problems just with potatoes." Douglas Adams
With Goldman Sachs dumping good money into Facebook I would put just as good money on the possibility they (Goldman) came on board for this reason alone. I wouldn't doubt that in a million years Zuckerberg would turn down a few Billion going his way. Right now pretty much every major governing body in the world is bricking up walls around their infrastructures, with more and more access to each persons personal data if it gets pushed hard enough it will get pretty big. You too kids can be in the right place at the right time and sell out billions of people!
In other words: "fuck that shit"
thank goodness people at universities muse about so many random infeasible things. otherwise i'd be really worked about having to sign up with an AMERICAN company to do all my online activities
IF a internet SSO must exist, it simply must be run by an international non profit multi-government funded agency. or at least a company thats not in the USA, i think i'd sooner trust iraq or china with my personal info
Next question?
For the record, I do not have a Facebook account.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
It's called OpenID, http://www.openid.net./ [www.openid.net] move along, nothing to see here.
The problem with OpenID is that, while lots of big sites will let you use your account with that site as an OpenID (acting as OpenID providers), fewer actually accept foreign OpenID for logon.
Everyone wants their accounts to be the web's single-sign-on, but almost no one big wants to accept sign-ons from elsewhere.
(hashed a number of times to slow down brute forcing)
Hashing a password multiple times does absolutely *nothing* to slow down brute forcing. Each brute force attempt still has a 1/2^n chance of succeeding.
Using Facebook as a SSO. I can nick someone's session cookie if he's on my same network - and yet we can trust the same company which is there to sell your profile information - with out important logins?
Right..
Really. They can offer this as a service and all the "Internet" that matters to FB-users will use it anyway, safe or not safe.
It isn't even the privately owned part that concerns me the most, it's the consolidation of power. Many of the most corrupt organizations and corporations on earth are government entities, so government control wouldn't alleviate the issue either. Corruption happens as soon as person is involved and has the ability/power to abuse their position. The only way to minimize it's damage is to diversify authority, a single point of authentication is a single point of failure and abuse.
If that's the one where, when you click on it it takes you to a page that looks like the Google login page and asks you to log in, then that's your answer right there.
While somewhat offtopic perhaps you can explain why RSA SecureID tokens are cream of the crop vs Vasco tokens? They do the exact same thing. The only difference is that RSA has made a buinsess of charging exhorbitant amounts of money for a token they get made in China for 1USD.
I swear its getting to the point where I think I should roll an alt identity and only access my facebook from my phone.
Personally, I'd never want one entity to have the keys to the kingdom. Not MS with Passport/.NET, not FB, not OpenID, nobody. I'd rather use passwords that can be memorized, a password list stored on my smartphone, or passwords stored in Firefox.
In the first sentience, you suggest that you don't want any one entity storing all your passwords. How is trusting Firefox or your smartphone service provider not entrusting all your passwords to a single entity?
HA! I just wasted some of your bandwidth with a frivolous sig!
I've built walls,
A fortress deep and mighty,
That none may penetrate.
I have no need of friendship; friendship causes pain.
It's laughter and it's loving I disdain.
I am a rock,
I am an island.
There's no -1 for "I don't get it."
Unless we hit Peak Facebook
The correct approach is to not show the user's photo until *after* they have successfully logged in - only then do they confirm that they wish to continue.
how so?
the net's Special Security Organization anyway?
SCNR, http://en.wikipedia.org/wiki/SSO
If FB becomes the Net's SSO, it better have the following features, or else people are betting their privacy and reputation on something quite unproven:
I'd hardly call it unproven. Facebook's services have been thoroughly proven to be unreliable, shady, and unconcerned with the privacy and personal control of your data.
OpenID isn't a "one entity", it's a protocol. You can run your own OpenID server if you want to, or do as I do, which is implement the "redirection" mechanism (my webpage URL is the login entry-point, but redirects to a different provider for authentication). That way, you can change providers at any time without losing access to anything.
Dilbert RSS feed
For the same reason that people use Windows.
"Everybodies" doing it! Wouldn't it be soooooo kewwwll if liek we onnnnly had to liek remember one password to write down beside your computer for your bank account, your ira account, your social security site account, your dmv account, your state tax web account, your....(fades off into silence)
Only thing missing after that is Windows authentication through Facebook. This world gets stupider by the day, and it's just hilariously funny at the same time as we sit there wondering what we missed...
-- This space for lease, low setup fee, inquire within!
The funny thing is, people who actually use FB take it far less seriously than it appears you do. Take the stick out, you'll feel better.
OpenID allows you to use _any_ auth system, it only depends on the server implementing it.
8. Won't work. The phisher will use your data to login to the real site, copy the image and show it to you on their page.
10. if you control you OpenID auth URL (even if you then redirect to another provider using meta tags), that's very easy to accomplish - just take the page/server down.
Dilbert RSS feed
It's a simple answer: 1 single point of failure, outside of your control.
-- This space for lease, low setup fee, inquire within!
I hope this is a joke. Once you've signed in, you've handed your username and password over. It doesn't matter if you wish to continue or not.
OpenID lets you use _any_ provider, even own installed on your server. Google does implement their own provider, but you're not forced to use it.
For example, my OpenID URL is http://andreparames.com/, which is a website that I control.
Try StackOverflow's login system for a nice example of a URL based login.
Dilbert RSS feed
Hashing multiple times makes each individual attempt take a lot longer, though. A thousand repetitions of the hash function means 1000x as much time (or processing power) needed by a hacker for a brute force attack.
I agree. Why for instance are they trying so hard to remain a privately financed company? Because they do not want the public to know how they really make their money. The only way they can be valued at $50B is if they are selling their users' data to the highest bidders.
"Crude and slow, clansman. Your attack was no better than that of a clumsy child."
Making your site logins Facebook-only will filter out most of the truly annoying users. Sounds like a good deal to me.
*** Thirded. I'd also like a stronger ability to choose what I'm sending along (do you just need to know that I'm the same user who was here last time, or do you really need my real name / address / credit card info)?
I nearly fell out of my chair the other day when Facebook popped up a "your account is low security" warning, which then asks you to give them even more personal information... (Yes, I get the theory, but I can't be the only person who assumes that any additional information I give them - to make my data more secure - will promptly be used to mine my life even more than it is now.)
I use FB sparingly, for fun. I don't get all wrapped up in it, and I keep my privacy settings locked down. I log on once a day and see what my crazy friends are up to, which is usually nothing much.
I did use it two years ago to reconnect with an old friend, and that was crucial because last year he passed away. There is tremendous social value in FB, if you want it.
"Crude and slow, clansman. Your attack was no better than that of a clumsy child."
I've never seen the appeal to me as a user.
I can see the benefit to advertisers, but don't feel that I owe the big advertisers online a single fucking thing. Not one thing. I don't feel guilty when I get up during a commercial break, I dont owe the TV station my time to view the commercials. I don't owe google my tracking info, or my clickthroughs on their links. I dont owe slashdot the courtesy of looking at their banner ads. I don't owe facebook my time or any of my personal info.
You all offered me services online for free, and I don't feel even the slightest tinge of obligation towards any of you. Why the fuck should I? I don't feel like I owe the supermarket anything for the free cocktail weenie samples they handed out, either.
In other words, you picked your business models, you made your beds, and you lie in them. Don't act like I'm obligated to you for shit.
So, what, as a regular user who maintains different accounts on different sites -- and doesnt want them associated with each other for myriad reasons -- what do I have to gain from SSO?
Internet drivers license, indeed. Fuck. This. guy.
1 - I do not use Facebook
2 - I do not enjoy 'Web 2.0'
3 - I believe that the userbase of Facebook and Web 2.0 is almost identical
4 - I therefore believe that mass adoption of Facebook as a SSO will effectively shift all Web 2.0 to Facebook's walled garden.
5 - This would effectively prune lots of crap from the internet I use.
6 - Critical segments of the internet (banking, email, &c) are too well established to shift to this SSO, so I would not lose functionality.
Obviously, the thing rests pretty strongly on point 6.
SecurID is dead, see OATH.
http://www.openauthentication.org/
HOTP:
http://www.ietf.org/rfc/rfc4226.txt
http://en.wikipedia.org/wiki/HOTP
and eventually TOTP
http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
There's no way I'd use fuckerberg's site as an authentication site
Really? Can you link to one, I'm curious. I thought BofA was only going to serve that picture to known IP addresses.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
4: Solid password storage. Crypto 101 here: You never store a password....
...
9: Store passwords of unlimited length
Uhm...
If multiple people use the same computer- it gets worse.
There is another level where it *requires* that you give it a unique phone mobile number and locks your account until you do. If you put in a number, it sends you a text with an unlocking code.
Fortunately, you can simply create a new account (but good bye farmville, citiville, etc. anything you spent time on to get progress) and point all your friends to your new account. the old account can still be seen but you can't log into it without giving your mobile phone number.
Facebook is so untrustworthy with my personal information and privacy that there is NO WAY IN HELL that I want it to be my SSO provider.
I don't even like the concept of SSO because if ANYONE breaks it, you would be massively screwed all over the place. i want a private signon at my bank, my medical pill companies, my pharmacy, my car company, etc.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
That's assuming that the brute force attack is done locally as opposed to sending login requests to the server - in which case the server, not the attacker, would use 1000x processing power.
The only way an attacker can brute force a hash locally is if they know the salt (i.e. the system has already been compromised) or if there is no salt, in which case just salting your hashes is much more efficient than double hashing them.
As provided by Fakebook. They unilaterally rescind this, for posting material counter to Zionist hate and colonial extremism. Or for exposing the criminally fraudulent basis for the Federal Reserve Bank and un-coined "fiat money".
These are both among the many topics that have caused users to find their accounts and groups "disappeared" by Frakbuch.
Fortunately, this nonsense will sound completely foolish in a few short years, as "The Social Network" goes the way of CIS, AOL and MySpace....
"Flyin' in just a sweet place,
Never been known to fail..."
this is the kind of idea that gives him an instant orgasm (right after he ejaculates onto one of those asians he's so fond of, that is).
My cranial area throbs with rage when people "muse" about asinine contrivances, around which they expect all of mankind to fall into line. I mean, wtf, Facebook is quickly becoming the most overrated object/event in recent human history.
How in the hell is someone as smart as Garfinkel, who probably has more salient and complex thoughts over waffles, than the entire intellectual significance of Facebook, into perpetuity, even entertaining an insipid notion like this?
AAARRRRGGGGHHHHHH!!!!
That's true if the attacker is trying to brute-force the hash: they would have no reason to repeat actually compute the hash even once, much less thousands of times, as they would just submit (pseudo-)random numbers and hope that one of them matches the expected hash.
However, a decent hash is utterly impractical to brute-force in this manner; scanning a mere 128-bit hash space would take around one sextillion (1.0e+21) years even at a billion hashes/second (which would strain even a 10Gb network link). The more likely "brute-force" attack would be to scan likely passwords, and to do that you actually have to compute the hash of each prospective password (and nonce!) thousands of times over.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
One sorta-real Facebook account with very few emer. contacts that's rarely used (and only for emergencies); but several other FB accounts that are just junk for people who want to "friend" me, connected to several junk GMail/Google accounts identifying me as a Harvard business grad, an African immigrant, a gay boy from Louisiana, a junkie from CT, a UNC student, others... I share these fakies with some local friends who want to remain anonymous, too. Oops, I've messed up my "Web" experience, oh noes!
(The minute I logged into a site that "knew who I was" and offered to connect to FB for me, I decided to go Sybil on "Web 2.0".)
By insufficient data, I mean there is no word in any human language that would express the value of "No" strongly enough.
> One of the best proposals I've seen on /. for authentication would be a little bit awkward, but beats passwords. Enter your username at a site. The site presents a serial number. The user selects the serial number, signs it with their PGP/gpg key, and pastes the signature. The server validates the file against the key and grants/denies access. With this method, the server doesn't need to maintain much state (other than the serial number to prevent replay attacks), and no sensitive material is exchanged.
Err... how is that not SSL based authentication, done with PGP? Is there's something subtle I'm missing here?
Crypto 101 here: You never store a password.
So, how do you do digest authentication without server storing the password? Hashing hash+nonce instead of password+nonce effectively makes hash the password.
is one of Facebook's current investors. That said, I have absolutely no trouble with the concept of trusting Facebook with Simson Garfinkel's personal information. Starting with his bank account ID info. Facebook's record with respect to user info and user privacy speaks for itself.
Tech Public Policy stuff
But the more gates the castle has, the stronger it is. They can't knock them all down, right?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
1 single point of failure, outside of your control.
You can host your own OpenID server, if you wish, and use that with any site that allows the use of OpenID for logging in (assuming they aren't 100% lame and restrict the server URLs; if they do that, don't use the site). If that doesn't constitute control, I don't know what does. Since the authentication point is a (particular kind of) website, you can use the usual methods for replicating it.
Of course, for these things you'll pay (whether in money, time or effort) but I'm assuming that you believe that it is worth it. It's your choice.
"Little does he know, but there is no 'I' in 'Idiot'!"
It is funny to see the rants against the idea. I'm not going to bother ranting because it is obviously never going to happen. Of the some 2 billion internet users, only 500 million use facebook.
Worst....................Idea............Ever
I don't even trust OpenID
OpenID is a technology, not a company or organization. Any site can act as an OpenID provider, and any site can act as an OpenID consumer; not trusting OpenID makes about as much sense as not trusting http.
"What kinda goddamn drugs are YOU on?"
You missed "and where can I get some because they sound great".
Corporations are amoral. This means they are neither ethical, nor unethical. They have zero regard for what is right and wrong, no matter who they are. There is no concept of more or less ethical in a corporation. More or less litigious? Sure. Political? Sure. Beneficial (i.e. Google fighting for net neutrality while telcoms fight against)? Sure. However more or less "ethical" they seem, you have to remember any time their interests coincide with yours is purely by coincidence. Here, Facebook could become the next generation of certificate authorities, and all you crypto-nerds know how well that turned out...
Bank of Montreal doesn't display the verification picture until you've entered a "secret answer" sort of thing, like the "What was your first pet?" kind of question. It will set a cookie on your browser, if you like, so you don't have to keep doing that part. THEN you get to enter your account number and password.
So the interceptor would have to remember to pass the cookie on... so let's hope they're intercepting by DNS spoofing, not just using a phishing site at a different hostname.
Shut up, and join forces with us!
http://www.youtube.com/watch?v=iFU9txRdAMU
However being part of the alpha I am almost laughing at what they are accomplishing thus far.
The price is always right if someone else is paying.
BigLumber.com, a site for people to arrange PGP key signing events, does something similar.
The user associates a PGP public key with their account, and the server makes sure the email address in the key and the email address in the BigLumber account match, generates a unique login URL, encrypts it to the user's public key, and sends it to their email. If the user can decrypt the email and click the login URL, they are granted access.
Simple, straightforward, and completely out of the range of capabilities of the average user, unfortunately.
You are as wrong as it is possible to be with a statement that simple.
It's not a single point of failure. From the standpoint of availability, nothing prevents an OpenID provider from implementing something as robust as any website, and websites don't generally have single points of failure either. From the standpoint of control, nothing forces you to choose one OpenID provider over another, or even setting up your own.
So no, it's not "outside of your control" -- nothing prevents you from setting up your own OpenID server, with your own software, placing the entire thing entirely under your control.
Don't thank God, thank a doctor!
It's one entity. "Entity" is a flexible word, you know.
The problem is that you are ambiguous by changing the type of entity you're talking about in the middle of the sentence. First you give MS and FB as examples, therefore I think it's not my fault that I infer that you're talking about single providers, which OpenID has none, instead of "a single set of credentials".
Somebody compromises that and you're done with no ability to perform damage control.
If you run your own provider and/or entry point you can shut it down. In my case, I can physically pull the plug and cut their access - the server runs in my home.
You can sing the merits of OpenID all you like. If they have a marketing team maybe you can join up with them.
FFS, just because I said what I said, doesn't mean I consider it the best authentication solution ever. In fact, I agree that long, random passwords for each website are more secure than any of these SSO solutions, and I wouldn't use OpenID for any important login.
Having said that, I think SSO is a convenient solution for the hundreds of websites that ask me to register, and force me to have a password manager which is annoying when I'm accessing the web from different devices, including public computers.
And from all the SSO solutions, OpenID is the only I like, since it's not tied up to a single company or authentication system and I have more control over it than using Google's, for example.
You have still failed to address the core problem with it as a scheme just as you have failed to comprehend what the issue is about.
I understand the issue. You're right, by reading your first line I didn't think that was the issue you were referring to - but I don't agree that it was my fault alone.
This isn't the first post I've seen from you that demonstrates your inability to read a post and reply to what it was actually talking about.
Maybe if you bothered to login I could say the same.
Dilbert RSS feed
This is all assuming that a given person uses their real name and information on Facebook, which I and many people I know do not do because we still value our privacy. I don't even allow people I know to post pictures of me and tag me in them, as I don't want my face and my online identities linked anywhere. So far this has worked out wonderfully, but if this theoretical situation were to come to pass, I would not be participating because I would still refuse to use my real name and information online. With all the above in mind I just don't see this happening.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
See here's the point you OpenIDTards are failing to grasp. Denial - It's not just a river in Egypt.
Oh yeah that thing you keep failing to grasp. Moving along to that. Let's say I use 10 web sites and have 10 different passwords for each one of them, managed by an ENCRYPTED and LOCALLY STORED ONLY password vault program. Some hacker can break into one of them. That sucks balls, but at least the other 9 of 10 sites have not been compromised. The hacker can't use that password to get into the other 9 sites. THAT IS WHY "websites don't generally have single points of failure either" because WEBSITES DON'T GENERALLY USE OPENID. Jesus Christ, it's like pulling teeth to get you to connect the dots.
Anyway, without OpenID that hacker would have to break into each one of those 9 remaining sites individually. Breaking into *my* computer wouldn't do him any good since the passwords are not stored there in plaintext. This is called damage control. Investors call it not putting all your eggs into one basket. Smart people call it common fucking sense that should never need to be explained to you or anyone else who thinks they are knowledgable enough to speak about the subject for any reason except to ask a question.
Now, with OpenID there is one consistent "identity", one set of credentials that is re-used across multiple sites. Somebody compromises that one identity by any means and I'm fucked on every site I use. That's the definition of a single point of failure. Re-read that last couple of sentences if you're still confused about all this fact and logic business. Now then. If I host my own OpenID server, that would mean breaking into my computer (or if it's a Windows system, getting the latest virus). If somebody else hosts the system, it would mean breaking into that shared host and getting potentially thousands of OpenIDs. A most tempting target for many hackers.
That's plain undeniable fact rendered for you in plain English. You're going to say "but but but, this and that is why I like OpenID anyway" because you're a stubborn bastard who doesn't want anybody talking bad about his New Shiny. Got it. Don't care. Now you know why the rest of us don't share your belief that OpenID is the One True Way and the Solution to All Problems.
OpenID is the sacrifice of added redundancy and security for the sake of convenience. Period. That is its very nature. It is not a perfect solution. It is a trade-off that not everyone wants to make. You will not win converts among those who don't like that trade-off. Deal.
It won't become the internet's SSO, simply because it requires way too many companies to willingly put way too much power into the hands of a partner that probably does not have their interests at heart.
So, what happens when all those Facebook junkies (basically everybody under 25yo) are running the companies? I think they'd be more than happy to give too much power to their best friend, Facebook. Just as companies are more than willing to give to much power to their best friend today, Google, as they did in the past with their old best friend Microsoft (and before that IBM and so forth).
The fact that you cite Microsoft is hilarious - because "too many companies putting way too much power into the hands of a partner who doesn't have their best interests at heart" is exactly how Microsoft grew to be so big in the first place. Don't think it can't happen again. In fact, the corporate-driven world we live in basically guarantees it will happen repeatedly.
... and then they built the supercollider.
At the risk of appearing blunt / insensitive / blablabla - you possibly would miss him much less without reconnection?
One that hath name thou can not otter
No. Not only no, HELL NO.
Next question please.
I've thought about trying to set up my own OpenID server, but I don't understand the pieces and how they fit together or what exactly I'd need to do. I don't think I'm as hopeless as that sounds, but I did read a bunch about OpenID a while ago and didn't completely grok it.
What you're doing sounds really interesting could you tell me a little more about how it's set up? Perhaps if you know of some reference links?
Thanks
You're really over-thinking this. How about just, no.
See here's the point you OpenIDTards are failing to grasp....
I'm waiting...
Denial - It's not just a river in Egypt.
Ad-hominem. It's not just fancy latin, it's an easy way to spot posts that probably won't be worth reading.
Let's say I use 10 web sites and have 10 different passwords for each one of them, managed by an ENCRYPTED and LOCALLY STORED ONLY password vault program.
Which means it's a single point of failure on your system. How is that better?
Jesus Christ, it's like pulling teeth to get you to connect the dots....
It'd probably be easier if you made your point instead of bitching about how stupid I am for not somehow being psychic enough to already know what you're thinking.
Breaking into *my* computer wouldn't do him any good since the passwords are not stored there in plaintext.
Sure it would -- install keylogger, wait. Hey, presto, he's got your uber-password.
Now, with OpenID there is one consistent "identity", one set of credentials that is re-used across multiple sites.
...maybe.
There certainly could be one consistent identity. Or you could create a separate account per-site. Up to you.
OpenID adds the choice of having SSO. It doesn't force you to do so.
Do I really have to bring out the email analogy again? Probably. OpenID is similar to email in its flaws and strengths. You could "put all your eggs in one basket" and have exactly one email account, which is fine for most people. Or you can have as many email accounts on as many different providers as you can manage.
Somebody compromises that one identity by any means and I'm fucked on every site I use.
Just like if somebody compromises your one master password file on your one computer.
That's the definition of a single point of failure.
Yes. Yes it is. All you've done is moved the SPOF from a web service to your local hard drive. Whether or not that's actually more secure is up to you, but note that OpenID certainly allows you to control the web service as much as you like.
Suppose I set up my own OpenID server, which I run off my own hardware. The "single point of failure" is now moved from my laptop (where you'd put it) to my Linux server, two feet to the left. I can encrypt it to my heart's content, I can protect it in exactly the same way it would be protected "locally" on my laptop.
Only now I can actually have those multiple identities online be somewhat connected, so I can prove on Reddit that I'm the same person who made that Slashdot comment -- at least, if Reddit and Slashdot both supported OpenID. It also ends up being less of a hassle, and more secure than using passwords. After all, how do passwords get compromised?
Some hacker can break into one of them.
Huh. You're going to have to be way more specific.
For example, I've got ssh access to a number of systems. My access is via a single private key, but the corresponding public key is stored on all those systems. What would it mean for "some hacker" to break in? Break into where? On my machine, that private key is encrypted, so it's just as secure as your local list of passwords. But on the remote end, it doesn't matter if they get the public key, it won't give them access to anywhere.
Worse, since it's actually key-based instead of password-based, if they were in a guessing mood, they'd have to guess 4096 bits worth in order to get access. Phishing is no help here; connecting to an untrusted server doesn't give that server access to anything else I can connect to.
OpenID can be similarly protected against these kinds of attacks. How, exactly, are they supposed to compromise that one account? Just because you authenticate against a g
Don't thank God, thank a doctor!
Whether we like it or not. I have started seeing many sites where you need to sign in with your Facebook account to see comments, etc.
It's really hard to fight against critical mass. I mean you can choose not to participate, but you end up becoming an outsider after a while (think if how difficult life becomes if you try something like not having a social security number in th US or not having _any_ credit cards).
The answer (for now) is to have a second, fake Facebook account. But who will stop them from having cell phone/SMS based authentication or the like? (I don't know if anyone here has noticed this, but you can no longer create a Gmail account without giving them your phone number for SMS or voice based authentication anymore)
Dang. I was hoping to use my WoW log-in via battle.net
Because WoW accounts never get hacked!
Its a shame that there aren't any SA's at facebook have the slightest idea of what you mean by points 8,5,2,9,3,1,4,6,7 and possibly 9.
To put it succinctly: Out of convenience
Convenience is, in most cases, the opposite of security. To base any part of a security mechanism on that which is convenient serves only to undermind the goals of said mechanism.
http://www.youtube.com/watch?v=KpLNlSKugHw
Well, at least he's thinking of how sso could be implemented well. Everyone else in the entire thread seems to think we will sit in the dark ages with 100 usernames and passwords to keep track of.
But just in case it hasn't been said: Fuck Facebook. And their maladjusted ginger billionaire manoftheyear monkey.
http://www.theonion.com/articles/area-man-has-no-idea-how-he-got-on-hamas-email-lis,18721/?utm_souce=popbox
Sorry to go way OT but Google is not fighting for net neutrality.
You missed one
11: Not being based in the USA, there is no way I would trust any american based org with my SSO. The fact that it would need to be based somewhere indicates a single point of failure in terms of protection against any government interference.
It's StackOverflow I've used. But it's a stupid system. Because, as I said, you go to log onto site A, and it takes you to site B and says `site A wants you to log in` and you're supposed to enter site B's credentials. But I don't want to have to type in site B's credentials, because that's my Gmail account, and it could be a fake site if site A isn't to be trusted/gets hacked etc. So you have to create a fake account on site B for site A. I'd rather just create an account on site A and be done with it.
Personally, I almost always use single sign-on whatever possible and recommend it, but I don't use my Facebook account as the only identity. I sometimes use my Facebook account, sometime use my Twitter account, sometimes use my OpenID accounts, it depends on what the website supports and what one I happen to use. Many websites supports tying accounts from multiple services, I use it whatever possible.
An OpenID server is just a regular web page (or set of pages) that receives a request from the site you're trying to login to.
You just have to install a web server (Apache or Lighttpd will do fine), possibly an SQL server to store your info and an OpenID server (in PHP, Python, etc). The OpenID Wiki has a list of servers.
If you already have a LAMP server, installing the OpenID is just a matter of copying the files and possibly setting up the database - depends on the specific server you choose, but it should have instructions anyway.
In my case, I don't actually run an OpenID server, I just changed my homepage HTML to delegate OpenID requests to myOpenId.com
I just had to insert the following tags:
This tells the site that makes the request to authenticate me that he should ask MyOpenID instead. The nice thing is that it's my URL that is associated with my profile, so I can change my provider without having to change any login info in any third-party website.
Dilbert RSS feed
But I don't want to have to type in site B's credentials, because that's my Gmail account, and it could be a fake site if site A isn't to be trusted/gets hacked etc.
No, not really. The site A doesn't embed site B, it just redirects you, so you can check the domain to see if it's valid, and the certificate to be sure. A website doesn't control your browser, it can't force Firefox/Chrome/Opera/etc to show "google.com" if you're not really in Google, and it especially can't fake the certificate (not that it isn't theoretically possible, but I doubt some CA would sell them a valid cert for google.com unless they're the govt or something like that).
In any case, you're not forced to use Google's OpenID server - you can set up an account in certifi.ca, for example, which lets you authenticate using public key auth, so they never get your private key.
Dilbert RSS feed
i don't use Facebook. don't want to use Facebook. there is no reason i should be compelled to use a site i have no need for so that i can use the sites on the Internet i do want to use or need access to.
"To stop the terrorists."
That was my understanding, too. In fact, I'm signed up for a secondary authentication procedure with BofA, where if they don't recognize my computer, they send me an SMS with a code that I have to enter before I can proceed.
The scary part is, on at least two occasions I've been walking down the street and have received the SMS out of the blue. It's funny... you understand that people try to hack online banking accounts in principle, but it's a weird feeling when you know that someone is actively trying to hack your bank account, right now.
Breakfast served all day!
Most of the older internet users started out as 'outsiders' (at least, nobody knew what I meant about FTP usenet and new kernels). And I'd rather be an outsider than a target.
But seriously re: google accts, I just made [yet another] Gmail account and yes, they ask for cell number, but I didn't need it, and I didn't give it. (I did have a hard time with that captcha picture... I can never read them, takes forever to get it typed right.)
Plus, it just wouldn't be right for the disenfranchised w/out phones to be denied email through a library computer; Google and fb and microsoft WANT everything they can get, but you really only need to pick a stupid "what's your mom's name" question, an available username, and an okay pw. (And good enough eyesight to read captchas).
I've got and have been running for quite some time, an "SSO" of sorts, that meets and exceeds all of your requirements...
1: It has the ability to have two factor authentication. In fact, there's several methods of 2 factor authentication, and I think some can be chained (but not sure about that last point). It doesn't support SecurID tokens, but it supports other similar tokens, and has planned support for others. I believe SMS and similar ideas have been floated, but its a small company, running on almost no income, so I'm not sure about that.
2: It ensures that the site that is asking for information is genuine, as a matter of how its implemented. A user would have to go out of their way, to put their information in, and bypass this protection.
3: It has the ability to backup your data, tokens, and similar. You can also store a one time password for a single simple recovery. As a consequence of being able to backup your data, it allows relatively easy migration between other similar providers.
4: It has exceptional password and data storage. Everything is encrypted. They can't even see the hash, or unencrypted data. All they see is the encrypted data. A consequence of this, is they cannot recover your data, and the onus is on you (see point 3), to backup and ensure you can recover your own password. It's as good as TrueCrypt's mechanism (from what I read).
5: Okay, they fail here. I don't believe there is any vetting of their security system, but since most of it is client side, technically anyone can analyse it. You'll see exactly what is sent to and from them, using each of the mechanisms you use. Their weakest mechanism is the website which could be prone to a man in the middle attack. They aren't FIPS compliant, though from what I've read, this is a good thing, as a lot of the FIPS standards are lower than they could be. As for the data center, well you know exactly what they store (if you want) so you know all data in that data centre is relatively useless. Except if they took it over and re-wrote their code, then got us to use it. Basically, only the most insane (or government run) attack on the data center might work.
6: They use SSL (and more, as above) with their authentication process, and they use the regular authentication process of the other providers, which could mean SSL. Also, if one site is broken, and you're maintaining good practices (which they give you a tool to audit yourself with), then that won't affect the other sites.
7: Not sure about this one.
8: They don't have this, but its addressed through other mechanisms, and as you've seen, they got this angle covered.
9: They can store your password with (possibly) unlimited length, but they are bound by the password length of the other services.
10: There aren't third party logins, so one site cannot access another site (without some other mechanism). So the default state is turned off.
11: It allows multiple accounts/personalities, so when you go to a site with multiple accounts, it prompts you with which one you want to login with.
Additionally, it's decentralized, I'm in complete control of it (well, reasonably in control of it), it can store offline passwords, it can store other information and they have so far rapidly responded to problems/help. I lodged a problem the other day, and it was fixed today. I was quite impressed.
It's not an SSO per se, it's LastPass. It's essentially SSO, without giving them too much control, allows me to maintain large complex passwords (extreme entropy, 20+ characters long, upper case, lower case, extended characters, etc). It also has an audit tool to give you an idea on your security strength.
Quite frankly, when I searched around for this (there's several other providers, and OSS solutions), I found this was the best service, and have been continually amazed with it. It changed my security immensely!
Seriously, this SSO idea above, is fucking retarded in comparison.
Good password/account management starts at home (or more so, client side)!
This is my footer. There are many like it, but this one is mine.
So, what happens when all those Facebook junkies (basically everybody under 25yo) are running the companies?
The ones who are Facebook junkies have automatically disqualified themselves from having a leadership role at any important company. No, I mean they really have. There are still grownups in the world. Even grownups under the age of 25.
Thank Simson Garfinkel for breaking the news to everyone, party on
The ones who are Facebook junkies have automatically disqualified themselves from having a leadership role at any important company.
I don't think so. I'm guessing that within 10 years, it will basically be a requirement to have a Facebook (or equivalent social network that replaces it) profile to even be considered for jobs. There's a whole generation taking power right now who consider it suspicious not to have a social network profile.
... and then they built the supercollider.
LastPass looks good, but storing/syncing passwords among multiple machines automatically? That gets me a tad leery. Even if the machine is connected to the Internet, I don't want a password list being moved around, or stored.
Instead, for password management on the clientside, a KISS philosophy is good to have. There are a lot of password managers available, both commercial and free. However for anything security related, it is a good idea to use something open source. KeePass is one of the better multiplatform utilities out there, has apps for the iPhone and Android, and has solid security. If I wanted to transfer KeePass databases through the Internet, I'd either do it via Sneakernet, or have a keyfile on the machines (which was copied via Sneakernet) and transfer the updated KP database via TrueCrypt containers. This way, should someone unauthorized grab the TC container, a brute-force password guess will be absolutely useless unless an endpoint is compromised (and in that case, the jig is up anyway.)
Clientside password storage, be it KeePass, LastPass, or Firefox's password store are different from server based SSO systems. The advantage of SSO systems is that one doesn't need to have anything else but their main username and password to get access places. Of course the disadvantages are quite clearly posted in this discussion. Personally, I don't bother with SSO services, because it is quite easy to just stash the password in a .kdb file on my Android device or iPhone.
Firstly I would not trust facebook with the combination to my bike lock let alone my online identity.
I created an account to have a look around when it was new. Now It just sits there dormant while I consider deleting it.
For me the point is that for all of my important logins I WANT a separate login to have my security compartmentalised.
I just wish that more forums allowed anon posting so I didn't have to sign up for a one of question.
Yeah, that's the thought that came into my head, too.
Of course, I realize you're aiming for a Funny mod, because:
If it's a phishing site, it doesn't display the photo before login because the real site doesn't either.
Then you give the phisher your password.
Then it logs into the real site with your password, grabs the pic, and displays it at the fake site.
And you believe it to be the real site even more if there hadn't been a buzzword verification measure.
I'm not a lawyer, but I play one on the Internet. Blog
Maybe if we want a standard for 'net auth, we should try someone that isn't blocked by 90% of all large companies :D
Because Facebook is now valued at approximately ten times the GDP of the whole planet, it is obviously a good thing. To say otherwise is to condemn yourself as a paranoid luddite communist terrorist.
To have a right to do a thing is not at all the same as to be right in doing it
Alright, so where are the links to these sites you've created?
Put up or shut up.
Too complicated (for most people). Either you can trust a link, or you can't. If you can't, then adding certificates or whatever is an ugly kludge because you're expecting people to understand too much.
A better solution, in my opinion, would be if Google (and other companies who support OpenID) had a tab in their Gmail site somewhere for websites you've signed up to, and to connect to those sites from your Gmail account. If a website was compromised, Google could immediately pull access to the site for everyone immediately. Yes, you have to trust Google for this to work, but...well, you trust them anyway if you've a gmail account, and it wouldn't be just Google offering this service.
Why for instance are they trying so hard to remain a privately financed company? Because they do not want the public to know how they really make their money. The only way they can be valued at $50B is if they are selling their users' data to the highest bidders.
Don't ordinary non-publicly-quoted companies have to publish their accounts in the US then?
To have a right to do a thing is not at all the same as to be right in doing it
Too complicated (for most people). Either you can trust a link, or you can't. If you can't, then adding certificates or whatever is an ugly kludge because you're expecting people to understand too much.
Well, the domain should do it, but it can be complicated, yes.
A better solution, in my opinion, would be if Google (and other companies who support OpenID) had a tab in their Gmail site somewhere for websites you've signed up to, and to connect to those sites from your Gmail account. If a website was compromised, Google could immediately pull access to the site for everyone immediately. Yes, you have to trust Google for this to work, but...well, you trust them anyway if you've a gmail account, and it wouldn't be just Google offering this service.
That only works if it's not the first time you login to Site A with your Google account, or else how would Google know about it?
The simplest way to be sure is to login manually to your Google account (Gmail, etc) - which most people are anyway - before logging in to Site A. Then Google doesn't need to ask you to login to them, so even if Site A is compromised, you don't ever give them your Google credentials.
So I for example go to MyOpenID (my provider) and log it. Then I go to StackOverflow and input my URL. Since I'm already logged in to MyOpenID, it doesn't show me any login page. If it did, it meant that StackOverflow was redirecting me to a fake provider.
Dilbert RSS feed
Only if the have more than 500 investors.
"Crude and slow, clansman. Your attack was no better than that of a clumsy child."
Yes that is certainly true. But that's the whole point behind connecting to people. Missing them when they're gone is an unavoidable side effect.
"Crude and slow, clansman. Your attack was no better than that of a clumsy child."
Thing is: On the internet most people really DON'T want their real identity attached to every pr0n clip they watch. IOW: Anonymity is a legitimate request.
I think you're pretty much describing the principal of a distributed internet. And I also think you are absolutely correct.
I consolidate all of my passwords in KeePass, and I'm the only one in control of that information. When you think about it, the only person you can trust with that info is yourself.
Har?
Especially considering that FB is one of the most unethical companies out there.
And they keep screwing up security. I would rather let the "Don't be evil boys" handle SSO.
You're right, naturally. Perhaps I should be more clear how it was, after all, about the value of FB - the specific justification displaying a sort of circular thinking IMHO: FB essentially made the issue crucial (this doesn't attach any value to it, doesn't say it's bad; just sayin') by inducing reconnection in the first place.
As a side-note, in more general picture of FB & human connections - ultimately acting as another vehicle for illusions of social animal. The number of contacts many people have on FB easily touches on the limits of how many individuals we can really track with our minds at all. That's still basically nothing out of almost 7 billion people alive. ... but we not only loose track of our quite recent ancestors very soon, don't really care about them. Ultimately, hardly anybody is even aware of the number of dead homo sapiens sapiens, over 100 billion (if my back-of-the-napkin calculations are correct, that's on average ~1000 remains of modern humans per km^2 of land, when excluding oceans and Antarctic but including desolated areas) - more, we actually prefer to convince ourselves in the "myth of the living" / how supposedly more humans are alive than have ever lived.
Or another grande illusion - how we want to be remembered, convince ourselves how we indeed do it
One that hath name thou can not otter