Comments on: Facebook Platform: bad login practices, OpenID doesn’t work http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/ security, privacy, transparency. Mon, 30 Jan 2012 20:03:02 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Benlog » Protecting Data by Being More Open http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/comment-page-1/#comment-111157 Benlog » Protecting Data by Being More Open Thu, 13 Sep 2007 23:20:12 +0000 http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/#comment-111157 [...] Facebook’s. Even though they are not apparently abusing the credentials, they’re still getting users accustomed to the concept of entering one site’s password on a different site. But if you look at it from the LinkedIn point of view, what choice do they have? How can they [...] [...] Facebook’s. Even though they are not apparently abusing the credentials, they’re still getting users accustomed to the concept of entering one site’s password on a different site. But if you look at it from the LinkedIn point of view, what choice do they have? How can they [...]

]]> By: ben http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/comment-page-1/#comment-66412 ben Wed, 11 Jul 2007 23:38:11 +0000 http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/#comment-66412 Leon: I'm sure there are plenty of protocols that do this nicely, assuming everyone talks SAML... but Firefox doesn't talk SAML, right? So how do we do this *on the web*? Do we need new infrastructure in the browser? Can it be done with passwords (i think likely not)? It's not an issue of whether it can be done theoretically, it's an issue of whether it can be done with the software we have deployed today or in the near future. Leon: I’m sure there are plenty of protocols that do this nicely, assuming everyone talks SAML… but Firefox doesn’t talk SAML, right? So how do we do this *on the web*? Do we need new infrastructure in the browser? Can it be done with passwords (i think likely not)? It’s not an issue of whether it can be done theoretically, it’s an issue of whether it can be done with the software we have deployed today or in the near future.

]]> By: Leon http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/comment-page-1/#comment-65412 Leon Tue, 10 Jul 2007 18:09:13 +0000 http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/#comment-65412 quote: "where the user is specifically asked to associate two different accounts on two different systems" I can think of more that one way to solve this, but the first thing that comes to mind is the SAML specification. Isn't federation just about using assertions to connect different user accounts on different systems? quote: “where the user is specifically asked to associate two different accounts on two different systems”

I can think of more that one way to solve this, but the first thing that comes to mind is the SAML specification. Isn’t federation just about using assertions to connect different user accounts on different systems?

]]> By: ben http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/comment-page-1/#comment-61390 ben Wed, 04 Jul 2007 15:13:04 +0000 http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/#comment-61390 Eugene, So Facebook proxying the content is not great for privacy, but at least we should find a way to secure the authentication tokens, even if the content is not secured. You can't send the Zoho cookies to FB, since they're on a different domain.... It's an interesting challenge to do this generically. Eugene,

So Facebook proxying the content is not great for privacy, but at least we should find a way to secure the authentication tokens, even if the content is not secured. You can’t send the Zoho cookies to FB, since they’re on a different domain…. It’s an interesting challenge to do this generically.

]]> By: eugene http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/comment-page-1/#comment-61241 eugene Wed, 04 Jul 2007 08:44:17 +0000 http://benlog.com/articles/2007/07/03/facebook-platform-bad-login-practices-openid-doesnt-work/#comment-61241 Interesting point Ben. You need a variant of Internet Kerberos that allows you to authenticate with other services w/o revealing your actual credentials. However, the issue with facebook is the fact that it proxies all of the traffic through it so be it OpenID, iKerberos or whatever you will still have this problem. If you were authenticated with Zoho already and FB could just pass Zoho cookies through that would achieve your "crypto token" goal. However, if FB was compromised anyone could just "borrow" my Zoho cookies and impersonate me. Interesting point Ben. You need a variant of Internet Kerberos that allows you to authenticate with other services w/o revealing your actual credentials.

However, the issue with facebook is the fact that it proxies all of the traffic through it so be it OpenID, iKerberos or whatever you will still have this problem.

If you were authenticated with Zoho already and FB could just pass Zoho cookies through that would achieve your “crypto token” goal. However, if FB was compromised anyone could just “borrow” my Zoho cookies and impersonate me.

]]>