[WEB SECURITY] Social login / federated identity

Martin O'Neal martin.oneal at corsaire.com
Sun Feb 24 17:02:05 EST 2013


Haha, what is it you do for a living? Because you're not getting this
security stuff. ;)

> By the same argument, Firefox has had a security vulnerability

No no no. And no. All software has flaws. It's a given. Stupid argument.


This is a fundamental choice of paradigm, not product selection. It's
the equivalent of the difference between client-side or server-side data
storage.


> Yes, you did "tell me so", but I don't much care for your 
> negative opinion. 

Yes officer, I could see the stop sign but I didn't much care for its
negative connotations. ;)


> I think using social login is a prudent risk for most 
> websites - not online banking, sure, but most websites.

Obviously I disagree. 

The logic of it is this; if you don't care, then you don't need to
authenticate at all. If you do care, then do it properly. 

Most frameworks have it built in. Clickity-click. Oh look.
Authentication enabled. No exposure to a third-party.

And in case you haven't worked it out, social logins like facebook
aren't there to increase your security. They're there to profile your
internet usage, so that they can analyse you even when you're not using
their own site, and then they can sell you on to their real customers.
What possible reason would you have to recommend helping such a thing?


Martin...





More information about the websecurity mailing list