Identity Authentication on the Internet
30 August 2013 · 2 minute read
I’m jumping into the world of identity authentication on the internet and keeping links and notes here.
- Tim Bray’s Federation Conversation:
- The NSA is Commandeering the Internet by Bruce Schneier.
- Running a Login System with an Account Chooser by Eric Sachs of Google’s Identity team.
> The short version is that the security of a user’s accounts on the Internet has became equivalent to the security of the least secure website where the user types their password. Or to put it another way, the security of the Internet as a whole is now equivalent to the security level of websites with the worst security. And there are plenty of websites with little to no security.
> If you are reading this guide, you are responsible for one of those websites. Unless you work for a firm with hundreds of dedicated security personnel, there generally is no reason for your site to require that users are authenticated with passwords. It both reduces the security of you own website to the level of websites with worse security, but it also reduces the security of other websites who have tried to build stronger security.
- Mozilla Persona: a sign-in system for the web:
- Troy Hunt: SSL is not about encryption.
- Moxie Marlinspike’s website, thoughtcrime.org
> I like computer security and software development, particularly in the areas of secure protocols, cryptography, privacy, and anonymity. But I also secretly hate technology, am partially horrified with the direction “geek” culture has gone, and have little affection for the weird entrepreneur scene that’s currently devouring the Bay Area.
> In general, I hope to contribute to a world where we value skills and relationships over careers and money, where we know better than to trust cops or politicians, and where we’re passionate about building and creating things in a self-motivated and self-directed way.