{"id":968,"date":"2008-04-08T00:00:00","date_gmt":"2008-04-08T00:00:00","guid":{"rendered":"\/?p=968"},"modified":"2008-04-27T13:04:28","modified_gmt":"2008-04-27T21:04:28","slug":"flickr-windows-live-id-and-phishing","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=968","title":{"rendered":"Flickr, Windows Live ID and Phishing"},"content":{"rendered":"

We talk a lot\u00a0in the identity milieu about\u00a0opening up the \u201cwalled Gardens\u201d that keep\u00a0our digital\u00a0experiences partitioned between Internet portals.\u00a0 Speaking as a person who\u00a0dabbles in many\u00a0services, it\u00a0would be really great\u00a0if I could\u00a0reuse information\u00a0rather than entering it over and over again.\u00a0 I think as time goes on we will get more\u00a0and more fed up with the\u00a0friction that\u00a0engulfs\u00a0our information.\u00a0\u00a0\u00a0Over time\u00a0enough\u00a0people will feel this way that no\u00a0portal will be able to avoid\u00a0\u201ddata portability\u201d and still attract usage.<\/p>\n

Even so, many\u00a0have argued that\u00a0today\u2019s business models\u00a0don\u2019t allow more user-centric\u00a0services to evolve.\u00a0 That\u2019s why it has been fascinating to\u00a0read about\u00a0the new Flickr Friend Finder<\/a>.\u00a0\u00a0I think it is tremendously significant to see\u00a0organizations of the\u00a0stature of Flickr, Yahoo, Google\u00a0and Microsoft working closely\u00a0together so people can easily associate their pictures on one site with their friends and colleagues from others.<\/p>\n

Once people decide to share information between\u00a0their services, we run smack dab into the \u201chow\u201d of it all.\u00a0 In the past, some sites actually asked you to give them your username and password, so they could\u00a0essentially become you<\/strong>.\u00a0 Clearly this\u00a0was terrible from a security and identity\u00a0point of view.\u00a0\u00a0The fact is,\u00a0sharing requires new technology approaches.<\/p>\n

Windows Live has moved forward in this area by developing a new \u201cContacts API<\/a>\u201c.\u00a0 Angus Logan gave us a great overview on his blog recently<\/a>, taking\u00a0us through the whole experience.\u00a0 I recommend\u00a0you look at\u00a0it – the design handles a lot of fascinating issues that we\u2019ll be encountering more and more.\u00a0 I\u2019ll just pick up on the first couple of steps:<\/p>\n

Go to the Friend finder<\/a><\/p>\n

\"image\"<\/a><\/p>\n

Select Windows Live Hotmail (you can also select Yahoo! Mail and GMail) \u2013 I\u2019d imagine soon there will be Facebook<\/a>The-New-Faces-at-Facebook <\/span> \/ LinkedIn \/ insert social network here.<\/p>\n

\u00a0\"image\"<\/a><\/p>\n

If you aren\u2019t already authenticated, use your Windows Live ID to sign in (IMPORTANT: Notice how you are not sharing your Windows Live ID secret credential pair with Flickr \u2013 this is a good thing!)<\/p>\n

\"image\"<\/a><\/p><\/blockquote>\n<\/blockquote>\n

If you\u00a0have followed my work on the problems\u00a0with protocols that redirect users\u00a0across web contexts, you\u00a0will see\u00a0there is a potential problem\u00a0here.\u00a0\u00a0<\/p>\n

If Flickr plays by the rules, it will not\u00a0learn your username and password, and cannot \u201cbecome you\u201d.\u00a0\u00a0It really is a step forward.<\/p>\n

But\u00a0if a user gets used to this behavior, an unreputable site\u00a0can pretend to\u00a0send her\u00a0to Windows Live by putting up a fake page.\u00a0 The fake\u00a0can look\u00a0real enough\u00a0that\u00a0the user\u00a0gives away\u00a0her credentials.<\/p>\n

A user called davidacoder <\/strong>called this out on Angus\u2019 blog:<\/p>\n

I think this whole approach will lead to many, many, many hacked Windows Live ID accounts. If you guys seriously believe that average users will be able to follow the rule \u201conly type in your credentials on login.live.com\u201d your are just naive. AND your own uber-security guy Kim Cameron is telling that very story to the world for years already. I wouldn\u2019t mind so much if a Live ID was a low-value asset, but you bring people to associate some of their most valuable assets with it (email, calendar, contacts). I find the whole approach irresponsible. I just hope that at some point, if someone looses his credentials this way, he will sue you and present Kim Cameron\u2019s blog as evidence that you were perfectly aware in what danger you bring your users. And to make a long story short, I think the Live ID team should fix the phising problem first (i.e. implement managed infocards), before they come up with new delegation stuff etc that will just lead to more attack surface. Very bad planning.<\/p><\/blockquote>\n

I admire David\u2019s passion, although I\u2019d prefer not to be used in any law suits if that is OK with everyone.\u00a0 Let\u2019s face it.\u00a0 There are two very important things to be done here.\u00a0<\/p>\n

One is to open up the portals so people can control their information and use it as they see fit\u00a0 I\u00a0totally endorse Angus\u2019 work in this regard, and the forward-looking attitude of the Windows Live team.\u00a0 I urge everyone to give them the credit they deserve so they\u2019ll continue to move in this positive direction.<\/p>\n

The other is to\u00a0deal with the\u00a0phishing problems\u00a0of the web.\u00a0<\/p>\n

And let me be clear.\u00a0 Information sharing is\u00a0NOT the only factor heightening the need for stronger Internet identity.\u00a0 It is one of a dozen factors.\u00a0 Perhaps the most\u00a0dangerous of these is the impending collision between the security infrastructure of the Internet and that of the enterprise.\u00a0 But no one can prevent this collision – or turn back the forces of openness.\u00a0 All we can do is make\u00a0sure we\u00a0apply every effort to get\u00a0stronger identity into place.<\/p>\n

On that front, today Neelamadhaba Mahapatro (Neel), who runs Windows Live ID, put up a post <\/a>where he responds to David\u2019s comment:<\/p>\n

Earlier this week a comment<\/a> was left on Angus Logan\u2019s blog<\/a>, it got me thinking, and I want to share what we are doing to create phishing resistant systems.<\/p>\n