[OpenID] Facebook Connect in 8 minutes, feat Luke Shephard

Peter Williams pwilliams at rapattoni.com
Fri Dec 12 21:01:23 UTC 2008


We are  not Facebook size, but we have ~50% of our customers doing websso (redirect/auto-post) based handoffs; been operational for ~2 years and targets consumers with mostly unmanaged PCs. I think you can legitimately call it now part of the US critical infrastructure, given the amount of national cash flow that depends on the service being available.

Is any of it best practices and auditable as such? No, no really. But what do you expect for a few dollars, per user (that GSA office systems procurers would not blink at paying $100 per user, for the security features  alone)? We must, of course, all do what we can with our reality. The existence and our use of the various websso standards certainly helped.

FaceBook's rejection of third-party-developed websso standards reminds of Lotus Notes, when Lotus (pre IBM purchase) just would not adopt X.509 before 1995 (and maintained its own certificate/key management formats from 1985, used it own funky secure email formats, and basically just would not play with anyone else in the ball pit).

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Luke Shepard
Sent: Friday, December 12, 2008 10:00 AM
To: Peter Watkins; Nate Klingenstein
Cc: diso-project; general at openid.net
Subject: Re: [OpenID] Facebook Connect in 8 minutes, feat Luke Shephard

> my main point is that Facebook Connect violates best practices in obvious ways that OpenID and other
> technologies like SAML do not.

> And the Foundation and we mere OpenID users should make the case that
> embedding unvetted Javascript is bad practice -- that Facebook Connect
> is a poor alternative to OpenID not simply because it's proprietary and
> does not scale, but because its current design is fundamentally flawed.

Facebook has offered a means of logging in to a site doing a full page redirect since August 2006. In the past two years, it has gotten basically zero adoption because it's a terrible user experience. For sites that are uncomfortable embedding third-party Javascript, that is still out there today.

The risk of embedding known, trusted, third-party Javascript is just not that big for most of the big sites today. Many of the same sites implementing Connect already embed Javascript - whether it be ads from Google, YUI libraries, MooTools, JQuery, Prototype, ... whatever. As long as it's from a trusted source, it's generally fine. Far more than the security risks are those from stability, and we've worked hard to get our system to be very reliable.

In short, the cost of implementing Connect or OpenID without the help of a Javascript library is greater than the expected cost of a security breach by embedding a third-party Javascript library. Hence, most businesses will choose the library.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081212/ffc586af/attachment-0002.htm>


More information about the general mailing list