Re: [WEB SECURITY] Social login / federated identity
Personally, I think that the vast majority of web sites
should allow social login. It's probably not appropriate
for online banking, but pretty much anything else is ok.
An oft repeated mantra is to not share credentials across unrelated
sites, yet social SSO flies in the face of this (for all the obvious
entanglement and trust issues).
It may be more convenient, but then so are velcro flies. Ultimately, it
pretty much boils down to whether you still want to be respected in the
morning. ;)
Martin...
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street,
Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
Registered in England No. 3338312. Registered office: Portland House,
Park Street, Bagshot, Surrey GU19 5PG.
Hi,
Personally, I think that the vast majority of web sites
should allow social login. It's probably not appropriate
for online banking, but pretty much anything else is ok.
An oft repeated mantra is to not share credentials across unrelated
sites, yet social SSO flies in the face of this (for all the obvious
entanglement and trust issues).
I think this is a complete misunderstanding on your part, and something
I want to address in the course.
A typical web user has lots of login accounts. Some they care about,
e.g. mail email account. Some don't really matter, e.g. a random forum
that requires registration to post. Now, if you use the same password
everywhere, your password could be leaked from that random forum
(perhaps by a hacking attack, a malicious admin, or any number of other
ways) - and crucially, could be used to compromise an account that you
really care about. That is why you are well advised not to use the same
password everywhere.
However, the same is not true for a single sign-on system. If you use
your main email account as your SSO provider, you can use this to create
accounts on all those random forums. The random forums do NOT gain the
ability to take over your main email account (if you question this, read
the specs for any decent SSO protocol). It's true that a compromise at
your email provider would also cause a compromise on all those forums.
But users can choose an SSO provider which they believe to be secure,
making that risk acceptable.
Regards,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK