I work in that industry and I don't push females in any particular direction. I will always prefer the person that has a better knack, gets things delivered sooner etc.
Single sign on means that all someone needs to gain access to all of your shit is one username and one password. It's exactly the same thing as using identical logins for everything.
While it's true if you know the specific credentials, you can get into the account, single sign on solutions also give the ability to effortlessly include two-factor authentication without needing the application to specifically support it and having to manually setup a whole bunch of tokens for each users.
That said, because on a federated single sign on system, you have to compromise the the login system rather than the application in order to it. The only way a login can be compromised in this scenario is if you get into the federated single sign on solution, getting into any other system that uses it won't help you in this regard because they don't handle or store logins from a federated single sign on solution. Additionally, you have completely ignored all the other statements regarding auditing capabilities, revocation of access etc.
You also forget that single sign on also means, one sign in and you are logged into everything at the same time. You don't get this with multiple login systems.
Using the SSO solution outside the SSO domain is not supported, and if you need to do that, you would generally place a reverse proxy in front of the servers not part of the domain.
This is not possible for me, so this will break the web for people who use my stuff. I expect it will also break others who also have the situation where they make use of certain cloud services that rely on certain federated SSO solutions similar to openid for login integration.
I also wouldn't be very happy about login URLs not using the same domain always, from a security point of view, a user would become used to the idea that there is a separate login prompt for every domain, making the problem of phishing larger.
Depending on clients compromising their security in order for you to get less work does not instill a lot of confidence in your single sign-on solution and by extension, how safe it is.
For some reason you think this actually prevents the nefarious tracking that users don't want. I already included more than enough examples on another post that shows this is not the case.
You are misleading people into a false sense of security, you're making users think that everything is fine, when in reality it is going to break things and the nefarious ones are still going to be able to do what the users think they aren't doing.
To put it in other words, the so called advantages of this solution you are claiming is more secure is an illusion and only serves to break legitimate systems that aren't intended to be nefarious in nature.
Because not using the same login to access webmail, web storage, bug report facilities from the same organisation is 'fucking stupid'? Sorry, I disagree.
You might as well just use the same user name and password for everything.
That's more insecure than federated single sign on. If a specific system is compromised, the credentials are not in a federated single sign on solution. It also means that when you revoke a single user's access, all their access is removed in a federated single sign on solution. If you give a user access, their access is automatically available at all the systems they're meant to have access to in a federated single sign on solution. If you want to have auditing of access, a federated single sign on solution makes this very simple, while trying to audit across many systems with different user databases can be quite difficult etc.
Odd, my post here disappeared... I'll just rewrite it.
It sounds like a very small minority would get into trouble with this.
You never even bothered verifying that this software has this issue, if you even bothered, you would realize that a lot of other sign on solutions are at risk too. Instead you waste everyone's time, noh8rz10. You even wasted the reader's time by not bothering to verify anything here.
I'm having to add to my examples because you changed the requirements, I felt something that really personally effects me was sufficient because you didn't bother posting your requirement where this is meant to effect some wide spread amount of users. So fine, I will humour you and tell you one more but this is the last time I accept your moving of goal posts in this conversation. But you have wasted my time too, noh8rz10.
Posting YouTube comments will not work without 3rd party cookies and you can bet there are plenty of other websites that have similar issues.
As I see it now, I have now fulfilled your prerequisite of:
Please demonstrate any problems with default 3rd party blocking, other than advertising and tracking. Specific sites and examples.
Ta da.
everyone else benefits from advanced protection
This is not advanced protection, this is a very simple protection, something that even existed in the 90s. In fact, it was disabled by default because it broke single sign on systems from Yahoo and broke certain embedding of content. You're claims are just going to lead people into a false sense of security. The reality is that someone whom wants to be nefarious can still track people using other methods, off the top of my head... Storing identifiers in RGB values through HTML5 canvas, storing identifiers through HTML5 session storage, storing identifiers through HTML5 local storage, storing identifiers through HTML5 global storage, storing identifiers through HTML5 database storage, storing identifiers through userData storage, storing identifiers through window.name caching, soring idenfitiers through Local Shared Objects, storing identifiers through isolated storage, storing identifiers through web history, storing identifiers through etags, storing identifiers through web cache, storing identifiers throughg HTTP authentication caching, verifying identity through font availability and plugin setup. And that's just the stuff I remember off the top of my head to track someone through webbrowsers using more nefarious methods.
Safari does it right; this is why google had to hack the browsers.
Safari does this right.. By setting a false sense of security and then adding a feature where website owners can override the setting by telling the browser "yeah, you can trust me"... Yeah, no.
Single sign-on support? Interesting - maybe you need to whitelist a site or sites where you actually WANT that feature.
You have it reversed... Blocking 3rd party cookies is a feature, not 'not blocking 3rd party cookies'.
That would be kinda like using AdBlock Plus, but white listing a small group of sites that you actually want to support. Think that would work?
No, because that would require me to manage a whitelist, develop an extension and other non-sense just to get people to get a working federated single sign-on login system in a browser. And it's not only developers using this system, but users of the software, whom some of which may not be very technically literate.
Additional steps isn't really acceptable for sign on. Using a non-federated system is not acceptable from a security stand point either (such as getting the website to do authentication with LDAP backend instead of using our OpenID variant).
If I'm an alien on earth that means I have access to technology far more advanced than a species whose farthest manned mission was to their own moon.
Or maybe you're really a gardener, only here due to your planet Melmac exploding because of a catastrophe involving a nuclear war and have nowhere else to go. We don't have an immigration agreement with Melmac and as such, you are subject to being deported by the Alien Task Force.
I'm an alien, convince me why an atom with 79 protons is more valuable than most others. Convince me why it is worth destroying entire civilizations in order to stockpile this element into vaults. Do you need it to survive? Do you need it to procreate? What makes this substance so valuable?
I'm sorry, you don't have the necessary documentation to enter this country, we are deporting you.
Your box getting owned is an end game scenario with or without Bitcoin.
Even the most sophisticated compromised attacks on the 'client side' don't work against bank sites that use multi-factor authentication to get anything done.
Slashdot Mirror
I work in that industry and I don't push females in any particular direction. I will always prefer the person that has a better knack, gets things delivered sooner etc.
While it's true if you know the specific credentials, you can get into the account, single sign on solutions also give the ability to effortlessly include two-factor authentication without needing the application to specifically support it and having to manually setup a whole bunch of tokens for each users.
That said, because on a federated single sign on system, you have to compromise the the login system rather than the application in order to it. The only way a login can be compromised in this scenario is if you get into the federated single sign on solution, getting into any other system that uses it won't help you in this regard because they don't handle or store logins from a federated single sign on solution. Additionally, you have completely ignored all the other statements regarding auditing capabilities, revocation of access etc.
You also forget that single sign on also means, one sign in and you are logged into everything at the same time. You don't get this with multiple login systems.
So no, this is not the same at all.
I'm not mean, I'm special.
Here, take this, it might make you feel better.
This is not possible for me, so this will break the web for people who use my stuff. I expect it will also break others who also have the situation where they make use of certain cloud services that rely on certain federated SSO solutions similar to openid for login integration.
I also wouldn't be very happy about login URLs not using the same domain always, from a security point of view, a user would become used to the idea that there is a separate login prompt for every domain, making the problem of phishing larger.
For some reason you think this actually prevents the nefarious tracking that users don't want. I already included more than enough examples on another post that shows this is not the case.
You are misleading people into a false sense of security, you're making users think that everything is fine, when in reality it is going to break things and the nefarious ones are still going to be able to do what the users think they aren't doing.
To put it in other words, the so called advantages of this solution you are claiming is more secure is an illusion and only serves to break legitimate systems that aren't intended to be nefarious in nature.
Because not using the same login to access webmail, web storage, bug report facilities from the same organisation is 'fucking stupid'? Sorry, I disagree.
That's more insecure than federated single sign on. If a specific system is compromised, the credentials are not in a federated single sign on solution. It also means that when you revoke a single user's access, all their access is removed in a federated single sign on solution. If you give a user access, their access is automatically available at all the systems they're meant to have access to in a federated single sign on solution. If you want to have auditing of access, a federated single sign on solution makes this very simple, while trying to audit across many systems with different user databases can be quite difficult etc.
Odd, my post here disappeared... I'll just rewrite it.
You never even bothered verifying that this software has this issue, if you even bothered, you would realize that a lot of other sign on solutions are at risk too. Instead you waste everyone's time, noh8rz10. You even wasted the reader's time by not bothering to verify anything here.
I'm having to add to my examples because you changed the requirements, I felt something that really personally effects me was sufficient because you didn't bother posting your requirement where this is meant to effect some wide spread amount of users. So fine, I will humour you and tell you one more but this is the last time I accept your moving of goal posts in this conversation. But you have wasted my time too, noh8rz10.
Posting YouTube comments will not work without 3rd party cookies and you can bet there are plenty of other websites that have similar issues.
As I see it now, I have now fulfilled your prerequisite of:
Ta da.
This is not advanced protection, this is a very simple protection, something that even existed in the 90s. In fact, it was disabled by default because it broke single sign on systems from Yahoo and broke certain embedding of content. You're claims are just going to lead people into a false sense of security. The reality is that someone whom wants to be nefarious can still track people using other methods, off the top of my head... Storing identifiers in RGB values through HTML5 canvas, storing identifiers through HTML5 session storage, storing identifiers through HTML5 local storage, storing identifiers through HTML5 global storage, storing identifiers through HTML5 database storage, storing identifiers through userData storage, storing identifiers through window.name caching, soring idenfitiers through Local Shared Objects, storing identifiers through isolated storage, storing identifiers through web history, storing identifiers through etags, storing identifiers through web cache, storing identifiers throughg HTTP authentication caching, verifying identity through font availability and plugin setup. And that's just the stuff I remember off the top of my head to track someone through webbrowsers using more nefarious methods.
Safari does this right.. By setting a false sense of security and then adding a feature where website owners can override the setting by telling the browser "yeah, you can trust me"... Yeah, no.
Organisations that use single sign on solutions like: https://www.atlassian.com/software/crowd/overview
My project isn't private, I'm just not mentioning the name because Slashdotters frown upon advertising.
You have it reversed... Blocking 3rd party cookies is a feature, not 'not blocking 3rd party cookies'.
No, because that would require me to manage a whitelist, develop an extension and other non-sense just to get people to get a working federated single sign-on login system in a browser. And it's not only developers using this system, but users of the software, whom some of which may not be very technically literate.
Additional steps isn't really acceptable for sign on. Using a non-federated system is not acceptable from a security stand point either (such as getting the website to do authentication with LDAP backend instead of using our OpenID variant).
If all you're doing is browsing, that's the reason. Some of us actually do more than simply browse on the web.
It breaks single sign-on support on my opensource project that doesn't capitalize anything from the web, this pisses me off. Your argument is invalid.
It breaks my single sign-on solution for my opensource project.
Let's be fair, Anonymous Coward doesn't have a good history of comments to back him up.
Ever heard of Trojan condoms?
Trivially with the media library in Winamp, I don't get the problem?
Or maybe you're really a gardener, only here due to your planet Melmac exploding because of a catastrophe involving a nuclear war and have nowhere else to go. We don't have an immigration agreement with Melmac and as such, you are subject to being deported by the Alien Task Force.
Detective work. I said this was a lead, not full evidence.
No, those are chavs.
I'm sorry, you don't have the necessary documentation to enter this country, we are deporting you.
It would reveal that something Bitcoin related is being operated at that address.
Which tend to be people whom have Bitcoin wallets.
Packet inspection offers a good lead.
Even the most sophisticated compromised attacks on the 'client side' don't work against bank sites that use multi-factor authentication to get anything done.
Because MultiBit isn't online, so you can't access it from 'anywhere'.
The Bitcoin application has already crashed for me. It sent an error report to Microsoft!
That is because it is value and not a representation.
I'm not a 'n00b' when it comes to Linux and I had no problems with Unity.
Woha, people with three digit UIDs still visit this place.