Wednesday, March 17, 2010

Web Sites that Use Facebook, Google, etc for Identity

It can be convenient and powerful to log in to a website (e.g., to add comments) using your Facebook (or, occasionally, Google) identity. Convenient, because you don't have to sign up for anything. Powerful, because if you want it to--a big if--it is connected with your identity. It makes me nervous though.

In theory, they are connecting directly to Facebook, through a secure HTTP connection, so they never intercept your password. I see several possible problems, though:
  1. A rogue site could fake the Facebook login page, and intercept your password. Maybe they could even do this very cleverly, calling through to Facebook, so that you even get the expected results of a successful Facebook connection.
  2. A rouge site could just play on the fact that people are used to doing this, and not even offer a Facebook login page, allowing them to easily capture your password.
  3. The Facebook login page could be presented over a non-secure HTTP connection. Unless I am missing something, that seems to be what is happening in the screenshot below, from the site This probably is carelessness, not an intentional attempt to steal your password. (Am I missing something?--I don't see an "httpS", and I don't see a little lock symbol in the lower right corner.

No comments:

Post a Comment