Simon McVittie <s...@debian.org> writes: > By way of context, OpenID originated on Livejournal as a way to have > federation between blogging platforms (e.g. other sites running the > Livejournal codebase). At the time, https was considered sufficiently > expensive that LJ didn't even use it to secure login, let alone normal > browsing. OpenID's original threat model was "stop people not on my > friends list from reading what I blog about them", not "stop the US > government from reading my secrets".
It's probably worth mentioning here that I work on authentication systems for Stanford University, where (among other things) they have to protect financial systems with access to multi-million-dollar accounts and the privacy of patient data shared with the School of Medicine by the Stanford Hospital. So my default security analysis tries to protect against determined, dedicated attackers going after high-value targets. It is entirely reasonable to decide that your threat model is casual snooping and casual attacks and the amount of overhead required to defend against a serious attacker just isn't worth it. The trick is to make sure that your threat profile doesn't change after you make that decision, at least without also changing your decision. There are parts of the Debian infrastructure that need to be robust against high-value targets, so introduction of weaker authentication systems (like most OAuth profiles) would require carefully tracking where they're being used and being careful to not use them where they're not appropriate. One *can* do this -- we do this right now for the Mailman admin passwords on Alioth, for example, which are certainly not a strong authentication mechanism but which are entirely adequate for the purpose they're being used for. But it requires care. There's also a tendency for attackers to find additional reasons to attack low-value targets that weren't anticipated. For example, LiveJournal got much more serious about protecting account logins when attackers started attacking LiveJournal accounts, not to read friends-locked posts or post spam, but to inject malware that would compromise the systems of people using LiveJournal and join them to bot nets. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/871u95bhae....@windlord.stanford.edu
