Haha, what is it you do for a living? Because you're not getting this security stuff. ;) > By the same argument, Firefox has had a security vulnerability No no no. And no. All software has flaws. It's a given. Stupid argument. This is a fundamental choice of paradigm, not product selection. It's the equivalent of the difference between client-side or server-side data storage. > Yes, you did "tell me so", but I don't much care for your > negative opinion. Yes officer, I could see the stop sign but I didn't much care for its negative connotations. ;) > I think using social login is a prudent risk for most > websites - not online banking, sure, but most websites. Obviously I disagree. The logic of it is this; if you don't care, then you don't need to authenticate at all. If you do care, then do it properly. Most frameworks have it built in. Clickity-click. Oh look. Authentication enabled. No exposure to a third-party. And in case you haven't worked it out, social logins like facebook aren't there to increase your security. They're there to profile your internet usage, so that they can analyse you even when you're not using their own site, and then they can sell you on to their real customers. What possible reason would you have to recommend helping such a thing? Martin...

I'm going to have to argue in favor of federated identity but to be clear only for WS-Federation. Personally I think OAuth and OpenID are good for situations where you don't need top notch security and there are many scenarios this is valid. Like blogs that need authentication to leave a comment or maybe some picture sharing service because its non-critical information. I don't think it's fair to say SSO is bad because that means your rolling WS-Federation in w/ OAuth and OpenID. Since the implentations are much different. WS-Federation is more secure than the formers. Federated Identity, using ws-federation, is good in enterprises because it takes the responsibility of handling authentication out of every single application and centralizes it. Frees individual developers from the challenges of having to understand how to implement authentication. On Sun, Feb 24, 2013 at 5:02 PM, Martin O'Neal <martin.oneal@corsaire.com> wrote: > > Haha, what is it you do for a living? Because you're not getting this > security stuff. ;) > >> By the same argument, Firefox has had a security vulnerability > > No no no. And no. All software has flaws. It's a given. Stupid argument. > > > This is a fundamental choice of paradigm, not product selection. It's > the equivalent of the difference between client-side or server-side data > storage. > > >> Yes, you did "tell me so", but I don't much care for your >> negative opinion. > > Yes officer, I could see the stop sign but I didn't much care for its > negative connotations. ;) > > >> I think using social login is a prudent risk for most >> websites - not online banking, sure, but most websites. > > Obviously I disagree. > > The logic of it is this; if you don't care, then you don't need to > authenticate at all. If you do care, then do it properly. > > Most frameworks have it built in. Clickity-click. Oh look. > Authentication enabled. No exposure to a third-party. > > And in case you haven't worked it out, social logins like facebook > aren't there to increase your security. They're there to profile your > internet usage, so that they can analyse you even when you're not using > their own site, and then they can sell you on to their real customers. > What possible reason would you have to recommend helping such a thing? > > > Martin... > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org