Social Sign-on Redirects are not another Heartbleed Flaw
ᵝ IN THE wake of legitimate security concerns and revealed vulnerabilities, there are invariably a rash of irrational paranoid myths that bubble to the surface.
PRECAUTION ≠ PARANOIA
While it would be nice to dismiss those who would compare unequal vulnerabilities equally, exaggerations spread quickly and kill productivity by generating unreasonable fear. Paranoia discourages people from using legitimate technologies for good reasons.
A FALSE ALERT
Yesterday I encountered an article entitled,
“Here comes a new, Web-wide security threat — this time for OAuth & OpenID”
The “attack” to which this author refers is hardly the crisis implied… certainly not of the same level as Heartbleed. Yes, there is a risk. But this gives an unnecessary black eye to an otherwise excellent authentication process.
THE SSO ENVIRONMENT
What the author is referring to is a method that you have very likely used. Often referred to as Social Sign-On, or a form of single sign-on, it is a mechanism that allows users to authenticate on a new site without creating a new user account. Very convenient. I use it on my own site or there would be ZERO users.
Instead of creating yet another account, SSO allows you to use your Facebook, Google, or some other site to verify your identity.
Social Sign-On setups do not need your bank account ID, so do not be foolish enough to provide it!! Remember, you would have approve it at some point.
- The user clicks a “Sign on with Facebook” button, which typically pops up a Facebook login. NOTE: It *is* a Facebook login provided by Facebook.
- All data is encrypted in an SSL connection between the user and Facebook; the new website has no way of seeing the content.
- The process requires an application setup with Facebook that includes permissions detail that is “keyed” to the new site. The key is private and unique.
- Like email, there usually several compliance requirements to play – for Google SSO the app must display its author, purpose, etc.
- Once the user identity verified, the new site typically creates a hidden user on its system, and associates the two. The new site has no more information about you that if you had created a user on that site.
- Additional information can be requested, with your express consent, but this is typically your profile photo, email address. Sometimes apps request delegation of activities like posting to your wall on your behalf. Up to you.
Yes, there appears to be ways to pop up a genuine SSO request for a legitimate site. But it is asking for ridiculously irrelevant information. If you agree, you are essentially saying that while walking into the mall, a robber jumped in front of you, demanding the cash you were about to deposit in a nearby bank. You were going to eat lunch. Would you later blame the bank for missing funds??