I recently had a spirited discussion with someone about authenticating to various websites. I personally take the approach of making an explicit new identity for every service I sign up for — local logins only. I never user a "Social" login like twitter/facebook/google, etc to access a site.
My reasoning is:
- It's a little harder to track my movements across the web; less data for the big players to crunch has to be beneficial in some way.
- When a data breach occurs, it limits my exposure to the breached entity. With the thought that, if the place you use as your only Authenticator for all websites get's compromised, what kind of exposure does that entail?
For some background, I'm a ten year professional in Web Infrastructure, with Identity and Access Management making up a decent part of what I do. After pretty much being called an irresponsible professional and told that no identity information will leak due to the way OAUTH works, I thought I'd throw the question out to the community to get a feel for how you handle accounts to different websites, as well as the inherent tracking and security concerns thereof.
Bytram noted that we had a discussion on a similar topic a while back: Personal Privacy in a Surveillance World -- How Important is it? - SoylentNews
Related Stories
I'm about to give up.
On the one hand, I see countless people get loyalty cards and enjoy discounts on their purchases. They connect with friends on Facebook and Twitter. They use apps on android or apple smartphones to give them turn-by-turn directions, find out where their friends are, or find places of interest. Their e-mail is "in the cloud" where they can get to it from multiple places. They use services like dropbox to share files. They get their news on-line and read e-books. I could go on and on.
On the other hand, I see opportunities for tracking and profiling in every one of those activities. So much so that it seems like one would be under constant observation and surveillance. We are just data points to be sliced and diced and marketed to — a society of consumers rather than customers.
So, I've got a major "ick factor" knowing about these practices and yet I'm hard-pressed to explain any negative consequences to otherwise intelligent people. "I don't do anything that's THAT interesting." "I've done nothing wrong, so I don't worry about it." "I like getting the bonuses and discounts."
Yet, I see companies expend great amounts of money implementing tracking mechanisms such as cookies, super-cookies, clear gifs, as well as huge databases of purchases, travels, and interests. I don't believe they are doing this for purely philanthropic reasons.
In no particular order, I include these for consideration:
- "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." - Cardinal Richelieu
- "If you are not paying for it, you are the product."
- Joel on Software - Strategy Letter V: Commoditize your Complement
- Using Metadata to find Paul Revere
I use a variety of Addons while browsing the web using Pale Moon: a custom HOSTS file, Self-Destructing Cookies, Ad-Block Plus, Ghostery, NoScript, Better Privacy, Flashblock, and Ref Control. I have a firewall and use anti-virus products. "In real life" I prefer to use cash over charge cards for my purchases. I have no loyalty cards.
What say you Soylentils? Am I being unreasonably paranoid? Or not paranoid enough? What dangers, really, are there? Why not sign up for all those loyalty cards and social apps? What privacy protections do YOU use?
(Score: 0) by Anonymous Coward on Saturday August 08 2015, @01:17PM
I try to never leave any account logged in on my computer in the event that I leave it unattended. "Social" logins are probably a more common target for those that are nosey or want to play a prank and they would only need 10 seconds.
(Score: 0) by Anonymous Coward on Saturday August 08 2015, @03:18PM
My ICQ was permanently logged in. At a party a bitch (yes, a female geek with serious negativity and drug issues) turned my monitor on (yes yes this was back when w98 was cool) then proceeded to attempt to piss people off. Asshat.
Never leave your social accounts logged in.
(Score: 2) by maxwell demon on Saturday August 08 2015, @05:17PM
I usually don't leave my computer running when it is unattended. I mean, when I'm not using it, why should it run, waste energy and present an attack surface, no matter how small?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday August 08 2015, @06:06PM
Same here but emergencies or events that require immediate attention occur.
I can count on one hand how many times I have been in this kind of situation where the computer was logged-in but I was out of reach of the keyboard. When I return, I always get an uneasy feeling when I realize that it was left unattended.
(Score: 2) by hendrikboom on Monday August 10 2015, @08:48PM
That happened to a Debian developer a few years ago. Someone used the unattended computer.
It took a month before all the repositories had been checked and most of the Debian developers' keys had been reissued through their chain of trust.
(Score: 4, Insightful) by Justin Case on Saturday August 08 2015, @06:22PM
You lack imagination. When my computer is unattended, I'm definitely still using it.
I come from a time when computers were for automating things, not just for watching cat videos. So I'm not happy unless I have a computer, or preferably many, working their asses off for me.
(Score: 2) by Justin Case on Saturday August 08 2015, @01:22PM
Anytime someone tells you "but all those old concerns -- you can stop worrying -- they have been solved in this new zingy" you can assume you've found a liar, or a salesperson, but I repeat myself.
"The protocol itself has been described as inherently insecure by security experts and a primary contributor to the specification stated that implementation mistakes are almost inevitable."
https://en.wikipedia.org/wiki/OAuth [wikipedia.org]
I'm not an OAUTH expert myself but I'd suggest at a minimum you want to subject it to as much scrutiny as any other "secure"* solution.
* Protip: another flag that pretty much guarantees you're talking to a liar.
(Score: 0) by Anonymous Coward on Saturday August 08 2015, @03:17PM
Nothing can or will ever leak from any secure service or protocol ... until it does.
(Score: 3, Interesting) by zafiro17 on Saturday August 08 2015, @01:47PM
I do about the same thing. Can't believe anyone would want to authenticate to, fer example, Soylent News using their Yahoo/Google/Facebook/whatever information. Why link accounts? Unless it's in the name of laziness, that is.
I use different passwords for different systems, and keep a password keeper on my phone, which I religiously back up. Can't imagine doing it any other way until they make us authenticate using retinal scans against a government database, at which point I will be in my cave in Montana, oiling my gun and waiting for the Revolution.
Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey
(Score: 3, Informative) by Nuke on Saturday August 08 2015, @07:11PM
Can't believe anyone would want to authenticate to, fer example, Soylent News using their Yahoo/Google/Facebook/whatever information. Why link accounts?
Lots of sites, particularly blogs and small specialised sites, just will not let you register to make comments or place queries without authentication from a major "social" site or specialised authenticator - Disqus keeps cropping up. I usually move on.
(Score: 2) by Hairyfeet on Sunday August 09 2015, @01:20AM
Well its not a problem for me, because my FB? Its my shit account. I don't use my FB for shit, the only info it has is shit, and the only people I have as friends are ones i don't give a rat's ass about. So why would I care if some website learns about people I hate that do things I don't care about and which has less info on me than your average /. profile? Knock themselves out.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0) by Anonymous Coward on Sunday August 09 2015, @06:55PM
So how do you really feel?...
(Not that I disagree, FB is apparently designed on the hazing/Stockholm principle. Make everyone suffer so that they feel devoted towards the cause of their punishment. It just make me want to kick Zuckerberg in the nuts)
(Score: 3, Informative) by Common Joe on Sunday August 09 2015, @02:52PM
Use something like no-script and get rid of your cookies between sessions.
It's amazing how many non-Facebook websites have Facebook javascripts running on their websites. No thank you. I don't know what information they track. By logging into the service on that other website and being logged into Facebook at the same time, they may transfer information between the two.
I do use Facebook to keep in contact with friends around the world. (For some of my friends, it's about the only good way to keep in contact with them. Yes, I know some of you disagree with my choice. But it's my choice.) To help mitigate that, I make sure my cookies are destroyed every time I close out Firefox. (There's a setting for that.) When I'm ready to log into an account that I don't want to be associated with my social networks, I close out Firefox then re-open it. And I make sure the Facebook scripts are not running on those other sites.
Food for though.
(Score: 5, Informative) by meustrus on Saturday August 08 2015, @01:54PM
As a developer who has worked to implement external authentication, I can tell you that OAuth is most certainly not it. It's not even intended to be authentication. That's why OpenID Connect exists, and very few OAuth providers implement it. Even their implementations are naïve and incomplete - what if you want to close a user's session after a certain amount of time, or even when they press a "log out" button? You just can't. They are permanently logged into your web site. Which comes down to what OAuth really is: it's a loose standard means of gaining decentralized access to your account information. It provides a usually secure method for well-behaved web sites to get things like your name and address and other account details, even more application-specific things like your friend network, without ever handling a user's password or needing to implement the provider two-factor authentication.
Honestly I'm not interested in sharing that kind of profile information outside of the people that have it, but depending on the implementation you may not even be asked for permission. OAuth mainly solves the "problem" of cross-domain cookie snooping. It provides an API to extract specific information from your cookies for other web sites (I am including in that information which could be acquired with the cookies, not just information that is explicitly stored there). And while OAuth makes it possible to develop fine-grained permissions per website which can be revoked at any time, the OAuth provider doesn't actually have to give them to you. The big players do for the most part. But they could stop at any time. And as we've known for quite some time, anybody using social media buttons is already leaking your browsing habits to those networks.
Make no mistake: OAuth is not a secure standard. It's not the best standard. It's the first and only standard for this kind of sharing. It solves many problems that many of us have no interest in being solved. And the first version was so fatally flawed that OAuth 2 really looks nothing like OAuth 1. Which is good. But it's also telling.
Anyway I seriously doubt that SoylentNews has the kind of audience that would be interested. Slashdot maybe. But not SoylentNews.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by wantkitteh on Saturday August 08 2015, @02:05PM
1 - If you don't pay for it, you're the product
2 - The central authority has to be able to identify both the account being authenticated and the site they are authenticating to. (See point 1)
(Score: 1, Touché) by Anonymous Coward on Saturday August 08 2015, @04:15PM
1 - If you don't pay for it, you're the product
But you see, buying the product does not guarantee that you will not be tracked.
(Score: 1, Insightful) by Anonymous Coward on Saturday August 08 2015, @05:32PM
> 1 - If you don't pay for it, you're the product
That is no longer true.
Nowadays even if you do pay for it, you are still a product, just no the only product.
Diversification, bitches!
(Score: 4, Interesting) by Runaway1956 on Saturday August 08 2015, @02:51PM
"no identity information will leak due to the way OAUTH works"
Well, he's right. And, you can stop worrying about putting your stuff on the cloud too. http://www.networkworld.com/article/2369887/cloud-security/hackers-found-controlling-malware-and-botnets-from-the-cloud.html [networkworld.com]
Clueless fools will tell you all sorts of things, to justify their own faith in whatever they have bought into. I have far more faith in my own hardware and installed software, than I have in some OAUTH, or cloud server, or anything else. I use two-part authorization on Google, to authenticate a "new" computer. They send a code to my cell phone, I enter the code into their web page. I sure as hell don't want to trust Facebook or something equally ridiculous for authentication.
Abortion is the number one killed of children in the United States.
(Score: 0) by Anonymous Coward on Saturday August 08 2015, @06:29PM
I sure as hell don't want to trust Facebook or something equally ridiculous for authentication.
But Google is fine, right?
(Score: 2) by Runaway1956 on Sunday August 09 2015, @12:14AM
Relatively speaking - yes Google is a better than Facebook.
You will probably realize that the two part authentication only works for Google services? That is, I'm not using Google to authenticate here on Soylent, or anywhere else on the web.
Errrr - that's not quite accurate. I'm registered on two sites where the registration process just wouldn't complete. I finally gave up, and "registered" using my Google identity. Neither of those sites are "important", IMO. And, again, I wouldn't trust Facebook even with those unimportant logins.
Abortion is the number one killed of children in the United States.
(Score: 1, Informative) by Anonymous Coward on Saturday August 08 2015, @06:02PM
In Finland a lot of web services require that you identify yourself using your 2 factor auth bank credentials. I find this scary. But I don't understand how it works. Usually there is no way to opt out. Should I be afraid? https://en.wikipedia.org/wiki/TUPAS [wikipedia.org]
(Score: 0) by Anonymous Coward on Saturday August 08 2015, @09:24PM
You should be happy. The regulators in your country have more of a clue about security, than in most.