tags:

views:

290

answers:

3
Q: 

Why Shouldn't I Programmatically Submit Username/Password to Facebook/Twitter/Amazon/etc?

I wish there was a central, fully customizable, open source, universal login system that allowed you to login and manage all of your online accounts (maybe there is?)...

I just found RPXNow today after starting to build a Sinatra app to login to Google, Facebook, Twitter, Amazon, OpenID, and EventBrite, and it looks like it might save some time.

But I keep wondering, not being an authentication guru, why couldn't I just have a sleek login page saying "Enter username and password, and check your login service", and then in the background either scrape the login page from say EventBrite and programmatically submit the form with Mechanize, or use an API if there was one? It would be so much cleaner and such a better user experience if they didn't have to go through popups and redirects and they could use any previously existing accounts.

My question is:

  • What are the reasons why I shouldn't do something like that?

I don't know much about the serious details of cookies/sessions/security, so if you could be descriptive or point me to some helpful links that would be awesome. Thanks!

Edit:

I'm familiar with OpenID and the APIs. I was really wondering about the security/legal/confidentiality side of things. I understand the confidentiality part totally, don't know if there's anything legally written down about this, but assuming it's under ssl, and I don't store any of the data (will store the cookies and tokens), what are the security implications?

+5  A: 

If I come to your website and give you my gmail password, what guarantee do I have that you won't read all my emails and even send a few of your own? And what if you become a little smarter and say 'people reuse passwords, I might just as well try if this password works for his bank account'.

As a user, I don't trust your site with my password. Period.

The whole point of Open Id and OAuth (that's what RPX uses) is to get around the above issue. I can give your website restricted, revocable and configurable access to my facebook account, all without giving your website my facebook password.

The UI is confusing, I agree. But with time people will understand what its all about, and it will be a lot better.

sri  2010-04-20 10:53:48
thanks for the input, but I still wonder, me asking them for their facebook or myspace credentials is the same as openid asking for it: there must be some sort of agreement they're held to so they don't look at them or use them in any way right? Are there legal things preventing us from doing that same sort of thing? (I'm just wondering so I really understand, not that I'm trying to do anything crazy).
viatropos  2010-04-20 11:01:09
@viatropos Based on my limited knowledge, OpenID never ask for other services username and password. It just authenticates you and send a token to the service provider. Service provider like Stackoverflow implement in their side to accept the token and login into the app.
blntechie  2010-04-20 11:09:20
@viatropos - Websites like SO never get to see my loginid/password. If they use just OpenID, they are only getting a confirmation from google/yahoo/what-have-you that the person is who he claims he/she is.
sri  2010-04-20 11:15:28
the reason I'm asking is, I and a few people I'm working with want to be able to login and purchase tickets from eventbrite by having me build a nicer interface and programmatically submitting their form. assuming I don't store the data (credit card and email/password), its under https, and the user is warned with something like "BE FORWARNED", what do you think :)? It seems totally secure to me, all that's left is confidentiality, but if they explicitly trust me, what's the risk then?
viatropos  2010-04-20 11:37:07
@viatropos - In that case, Security becomes unimportant, because its now a question of Legality. Scraping a ticket selling website is illegal, and there is a precedent of an indictment. See this article - http://www.darknet.org.uk/2010/03/high-tech-ticket-scalpers-earn-25-million-profits/. You may not have ill-intentions, but going along this path IS RISKY.
sri  2010-04-20 11:56:34
@sri, thanks for the article, but that's nothing like what I'm doing :).
viatropos  2010-04-20 12:23:37
@viatropos - Yes, I realized you weren't going to that extent :) But nevertheless, you have to enter credit cards, CVV and expiry dates on behalf of someone else, defeat captcha's and probably also scrape eventbrite from different IP addresses to avoid detection. Doesn't seem worth to me.
sri  2010-04-20 12:34:14
Looks like eventbrite have an API, and that API requires the end-users credentials - http://www.eventbrite.com/api/doc/auth. I now understand what you want to do. I'll follow up on the other question you have raised.
sri  2010-04-20 13:00:53
+1  A: 

Security and Confidentiality. Period.

Even some websites like Facebook discourage using this approach in their TOS i believe. If so, it will be illegal to do so.

blntechie  2010-04-20 11:06:28
+2  A: 

As already said above:

  • The site (or the site owner) accessing your {google|yahoo|etc} account cannot be trusted not to change your password and kick you out of your account.

But I feel there are other good reasons:

  • Many people use the same password on more than one site ore account (some could have the same password on gmail and paypal) and the site owner could abuse that

  • The site owner doesn't want to be held liable for other site owners abusing your account

  • The site owner could not be able to store your username and password in secure fashion. The site needs to be able to access them automatically. So on the server hosting there is stored everything needed to access those credentials.

And the hosting usually happens in a shared or virtual server with the hosting company administrators (and sometimes - if the hosting company isn't too conscious - fellow users) able to access them.

ZJR  2010-04-20 11:09:09
man it's crazy, every single site/app I've inherited/had-to-fix breaks all of these security rules. every single one. but nobody ever has the time or desire to do anything wrong with their data, they hardly even know it's there. anyway, luckily we have openid now :).
viatropos  2010-04-20 11:25:07

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security