The risk of getting your account locked is just one of the reasons you shouldn't use Google (and the like) to sign in.
But how did we end up in this horrible state of authentication? Why don't we have something as easy to use as the DNS, but for authentication?
Imagine what authentication would look like, if we all started running is the same direction, instead of implementing our own authentication again and again. If we had something open source, that would allow you to sign in to all the sites you use, while completely protecting your privacy, so none of them know who you are.
This dream can come true. Technically at least. I've taken the the first baby steps with https://promiseauthentication.org which proves that this is possible.
But, for this to become a reality, we really need to start running in the same direction. A collective movement towards a sane, privacy-first Single Sign-On provider that's easy to use for everybody.
It's a step in the right direction, but it's still centralized. A lot of the work done by the Indie Web community around IndieAuth[1] is really attractive. Your identity is your domain, and you can change how your domain says you're allowed to authenticate. Now you can even use sign-in with google without getting locked out should you loose your google account.
Aligns really well with using your own domain for email instead of gmail.
I hadn't heard of either Promise or IndieAuth before reading this thread, so apologies if this is a dumb question. But one of the benefits of Promise is that it's pseudonymous:
> You will get a unique identity pr. service you use. This ensures that relying parties have no way to profile you across services.
For me, this is actually the biggest reason that I stopped using social sign-ins. It's not that Google might disable my account one day; it's more that I don't want Google or Facebook tracking me.
How does a decentralized system handle this? If my identity is my domain, doesn't that mean that all these websites now have a unique id which they can use to join together all their separate pieces of data about me?
You're right, all the websites could band together to coordinate and share that the same person logged into each site. They do this today with email addresses and phone numbers explicitly (and implicitly with "advertising IDs" and the like). The Facebook "like" button and Google analytics are both tools to make it easier to track you around the web. Getting away from being able to track you around the web is going to take a lot more than just an anonymous ID as your login credential.
That said, the unique identity is still valuable--Apple offers this with their third party sign in[1]. Practically, if everyone was using self-hosted identity, then the tools would probably make it easy for you to create and track your own new identities for each service you use. This isn't build into something like IndieAuth today, but with the right DNS settings you could have arbitrary subdomains return the same authentication options and act as easy-to-use "sub identities".
Being pseudonymous is one of the main selling points of Promise.
Only by being pseudonymous can it provide the level of privacy that should be expected from the global authentication infrastructure that Promise wants to be.
Isn't that a problem, like "let's get rid of Google and all the evildoers because they know too much about us" then "oh we realize we created another one which knows too much about us"?
I get where you're coming from, and this is something I've been thinking a lot about.
It would be possible to not save the map, and then use some kind of hashing to infer user ids for each site. I chose not to do this, to be able to guarantee no collisions. This might be silly, though. But the thought of people with colliding user ids makes me giddy.
The data stored looks something like this:
{
"ids": {
"example.com": {
"07c5c163-875f-424c-a659-a4f99e74eb12": "default"
},
"other-example.com": {
"ab38b2a6-d560-43d3-b2a3-9148cd91d1b4": "default"
}
}
}
Worth noting is, that there is no personally identifiable information (PII) here.
But we have to have the discussion if this is "too much" data to keep about a user. AFAIK this is the bare minimum of data needed, to be able to guarantee no collisions of user ids. If there is another way to do it, we should do that!
> Self-sovereign
You manage your identities and attributes locally on your computer. No need to trust a third party service with your data.
Why do people assume that is a good thing? I do cybersecurity at work (among other things) and it takes a lot of effort to keep things both available and secure. My home PC, not to mention PCs of my friends, are never going to be as secure.
A system which has a chance will have to be federated, not local-only.
I work in crypto and we sell a hardware device to keep your seed phrase secure and the physical device is required to sign transactions.
But then you should listen to the advice we're given if we use one for personal use.
1. buy two devices
2. Generate a phrase on one then import to the other
3. Put the second one in a safety deposit box in another city or state, or a safe with a family member also out of the city or state.
4. Keep a copy of the phrase on steel seed phrase tool (Steely, etc)
5. Mount the steel seed phrase backup inside of a wall of your house and plaster and paint over it.
6. If your phrase ever gets seen by any electronic means, it's compromised and the process must be redone (note that importing uses a randomly shuffled alphabet on the device to make MITM or keylogging attacks unusable).
So... Security is hard. We should build systems that make it easy. There should be ways to recover from backups of a service goes offline, but we can't expect everyone to make good decisions.
Not to mention having passwords synced between devices and available on demand is really a requirement of you use random passwords for every site and need to log into something (heaven forbid) on someone else's device.
Most people are not trying to stop a determined attacker. Most people just want random people to not get be able to get into their stuff--same as a physical lock.
They carry a physical key on their person. It's not too much to ask them to carry a "digital" key on their key ring.
The problem is that most "digital" keys are a pain in the ass:
1) Mostly because everybody wants to "centralize" authentication so that they can charge you and administrate you.
2) Secondarily because there is no good solution for talking to the key on your person. NFC sucks. USB requires that I plug my key in. WiFi requires that the device be able to hit your network. BLE has no access from web pages.
BLE is probably the best choice, but there is no real money in making it work.
I'm a bit divided on whether or not the "centralized" thing is actually a problem Promise should tackle.
On one hand, I want to tell you that Promise is only centralized by default. Which is good for people that doesn't understand what a OpenID/IndieAuth Provider is. But as Promise is open source and the protocol caters for it, it is possible to have Promise redirect authentication requests to your own instance. Which then redirects you back to the relying party you want to sign in to. So it is possible to decentralize if that is what you want
On the other hand, I'm not sure it's a good idea to do it. Centralizing gives a lot of benefits. User experienc being one, but also being able to roll out eg. security updates quickly. But sure, centralization also creates problems.
But until now, I have a feeling that the problems with centralization, can be solved by other measures than going decentralized. Eg. being a non-profit organisation owned by the relying parties. This would guard against a lot of the problems with being centralized.
And I'm still to encounter a decentralized solution with a reasonable user experience for most people. OpenID, IndieAuth, SQRL, re:claimID, I'm looking at you. Sorry.
You're right that the user experience is a huge blocker, but I think that's something we as authors of tools can improve on. For example, there's a Wordpress plugin that lets your Wordpress site act as an IndieAuth identity[1]. That makes it pretty usable from and end-user perspective.
The challenge with centralized is that it is a single point of failure. The original post was more focused on "If you get locked out of google, you get locked out of everything". In that vein if promise gets hacked/bought/abandoned/changes it's business model etc.. then you lose all your accounts. The anonymous nature of it is great, but this is something Apple already offers with their sign-in with apple which is already widely supported and with the proxy-email solution you can still be contacted by the sites you're signing up with.
I got interested in IndieAuth because of a project of mine[2], trying to make it really easy for everyone to self-host their facebook/twitter equivalent with direct control over who has access. This runs into the problem with wide adoption where you have a separate credential for each of your friends' blogs. With IndieAuth built into the self-hosted platform, then your own self-hosted site becomes the one credential you can use on all your friends' sites. Self-hosted distributed identity for privacy AND ease-of-use.
I'm really happy that you're willing to take this discussion with me.
I totally understand what makes IndieAuth is a good solution. And it seems really easy. For me. But I have no idea how I would go about explaining it to, let's say, my mom.
Apple is offering something very similar to what Promise does. The difference is that Apple is a commercial corporation. Which means they're in the game to make money. Promise will be in the game to make authentication easy, secure and private.
In many ways I compare the goal of Promise, with the goal of DNS. Take a commodity and make it available globally in a reliable way. Yes, it will be a single point of failure. So the job of Promise will in large be, to keep the platform secure and reliable.
The mom-test is a good one, I'll have to think more about it. The truth is the advantages and disadvantages of various authentication systems are subtle, and hard for a lot of technical people to understand, much less care about.
Apple is a commercial corporation, and one of the biggest (by market cap) companies in the world. That gives me confidence that they'll be around for a long time, have sufficient resources to invest in security and reliability, and they have a well-established reputation for a focus on security. They do other things I don't like[1], but I think this is one area where they're setting really good precedent.
In addition, it's going to be difficult getting any sites (outside of maybe the crypto/grey-market) to adopt an auth system that doesn't let them contact their users. This is also I think a big failing of IndieAuth.
Promise is basically challenging the assumption that authentication has anything to do with both personal identity and being able to contact a user.
If a site needs to contact the user, it's reasonable to ask for eg. an email. But now the intent of asking for an email has to be crystal clear, which makes you and them more aware of what data you are actually giving them.
Apple sure is doing some good stuff with their authentication solution and their efforts to help people with healthier passwords habits. I'm still not too fond of having such fundamental infrastructure owned by a private company. Would you be comfortable handing over DNS to Apple?
There is so much fragmentation in authorization and authentication that it is hard to see how we can “run in the same direction”. Facebook, google, etc have zero incentive to change anything.
There is TLS client authentication, unfortunately it never catched on, probably due to not good and uniform UX in browsers. Imagine if web-browsers have automatically generated password-protected self-signed certificates that could be used to authenticate to web services without need of any third-party.
> Imagine if web-browsers have automatically generated password-protected self-signed certificates that could be used to authenticate to web services without need of any third-party.
What should be done when creating a new account is that, in addition to the username and password, the website should allow for uploading a certificate signing request. The web browser should then allow the user to create one and upload it. The website should then return the signed certificate to the client and the browser can then store it to use during subsequent connections.
Doing something like this would allow for two factor authentication without the half-baked solutions like sms or email based 2fa.
>×The web browser should then allow the user to create one and upload it
Your average user is not going to open a command prompt and dig into Openssl. There are (or were, I haven't used them for a decade) browser-specific APIs for generating private keys locally, but they were very flakey, and the whole UX was very confusing for users.
And after this, the user can only sign in on the machine in which the key was created. Your average user will not have a clue how to move certificates and keys around between machines.
I have direct experience with this. Back in 2008 I led a team building an extranet site, and we used X.509 client certificate authentication. We had to build our own tooling for management of the PKI, which was no small task. But ultimately it was key creation and certificate distribution that were the biggest problem - our users absolutely hated the signup process, as well as the fact that they couldn't later signin on another machine.
> Your average user is not going to open a command prompt and dig into Openssl.
That's why I said that the browser should provide that feature.
> There are (or were, I haven't used them for a decade) browser-specific APIs for generating private keys locally, but they were very flakey, and the whole UX was very confusing for users.
That's a UX issue that can be solved if the time was put into it
> And after this, the user can only sign in on the machine in which the key was created. Your average user will not have a clue how to move certificates and keys around between machines.
They shouldn't be moving/sharing keys between machines at all. What could be done is to implement a mechanism to associate an additional device with the account. Perhaps something like sending a CSR from the new device and then using the first device to confirm that it's a legitimate request.
> something like sending a CSR from the new device and then using the first device to confirm that it's a legitimate request
So I can only sign into my account from any new machine if I have access to a previously-signed-in device? What happens if my last login session expires? At that point, I have to sign in with a password, and now I'm back to all the terrible things about managing 500 passwords.
Federated identity / SSO through a trusted provider makes so much more sense, the standards are open and there are dozens of implementations available. Nobody needs to reinvent the wheel, we don't need a 15th standard. You just have to sign in with a provider that you trust not to lock you out for no reason, in a way that gives you no recourse (unless you can get your story on the front page of HN). Obviously that provider is not Google.
> So I can only sign into my account from any new machine if I have access to a previously-signed-in device?
The scenario I'm envisioning is that one creates an account on a website like HN, but with the additional step of generating a CSR, sending it, and receiving a certificate to store locally (with the browser handling the generation of the CSR and storing the resulting certificate with a standard and easy to understand UX workflow).
Once signed into the account, the website could prompt the user to add additional devices if they so wish (e.g., I created the account and signed in on my laptop, now I'll add my smartphone as a trusted device). This step could be done now, or sometime in the future.
If the prompt encourages users to do so right after creating the account, it's likely that they'll have access to the original device to confirm additional CSRs. Even if they choose not to do so right away, I don't think it's an unreasonable requirement to have access to the original device.
> What happens if my last login session expires? At that point, I have to sign in with a password, and now I'm back to all the terrible things about managing 500 passwords.
If the situation was that websites used 2FA via having the username/password as one factor and client-side TLS as the second factor, then password reuse wouldn't be an issue. Even if someone were to guess the username/password combination, the most they could do is send junk CSRs to try to add their device, which can then get rejected or not acknowledged by the original account holder.
> Federated identity / SSO through a trusted provider makes so much more sense
Perhaps, but based on what I've seen for general services out there, they just use either Google and/or Facebook as the trusted provider. I'm not sure how that situation came about, because it was pretty easy to create multiple accounts on those services without having to provide any basic identifying information (which essentially is the antithesis of what should be considered a trusted provider).
SSL/TLS is a standard that has been around for a long time, and given the ubiquitous use of server-side TLS, I don't see why it would be considered re-inventing the wheel to use the client side part of it. With nginx, you could set a HTTP header with proxy_set_header based on the value of the $ssl_client_verify variable value. Then the application could direct the user to the login page. If the client-cert is valid, then allow them to log in normally. If not, then direct them to log in, send a CSR, and go back to a valid device to confirm that CSR.
> You just have to sign in with a provider that you trust not to lock you out for no reason, in a way that gives you no recourse (unless you can get your story on the front page of HN). Obviously that provider is not Google.
Personally, I think we shouldn't have to involve third party providers in the authentication process. One reason is what you've already mentioned about getting locked out of the account. The second is if that account is compromised. With TLS, you don't need a third party involved in the process at all for the client side.
I just find it disappointing that I'm essentially forced to use email or SMS based 2FA where, arguably, those are less secure compared to having a strong password on the original service. By less secure, I mean that those factors could be compromised in a way to access my account that completely bypasses my strong password. It's the same with requiring security questions and allowing access to the account via a well known answer to one or more of those questions.
I've built Promise, to prove (to myself at least), that it would be technically possible to build authentication infrastructure, that can be used across sites, without having to store any data unencrypted, and furthermore, not storing any personal data at all.
And it works.
It's a bold choice of words, I acknowledge that. And the proof is only as strong as my abilities to write software.
This is yet another reason why Promise needs a movement behind it. To strengthen the proof. To strengthen security.
Being a non-profit, collectively owned service, which Promise is, will make it difficult to ban users and relying parties.
Just like the DNS can block users, Promise can ban users and relying parties.
This is not something Promise should take lightly, but the fact that almost everyone has a say in Promise, unlike Google, where almost no one has a say, makes me full of hope that this can be solved in a transparent way.
Cool demo. I couldn’t figure out how to make an account though.
I think this would need serious widespread adoption until we saw benefits too. And you’d need some big names...like Google. Which probably will never happen.
I hate it, when I type my email and password (correct, that is), and get an error saying "You already have an account. You need to sign in". OK. But would you please just sign me in then. Everything you need is there.
So I chose to make it one. This might be more confusing than anything else... And I might be missing some other point for this to make more sense...
Internet identity could maybe be a layered thing where one layer takes care of authentication, which is where Promise lives. The next layer could handle information like name and email. And finally a layer that handles your verified identity by an authority. That last layer is where the danish NemID fits in.
For a smaller company, that doesn't have the ability to dedicate a team of people to authn and authz, OIDC/OAuth/SAML/etc are all extremely complicated tools that take a lot of experience to even begin to understand the terminology. Ask your average engineer to implement logins for an API they'll be able to do it. Ask your average engineer to implement current SSO-like integrations for even the most standard of use cases (website logins) and it's a huge pain. Drift ever so slightly off the beaten path (IoT devices for example) and you're in for a "fun" time.
To add to this: Never use a @gmail.com address, buy your own domain and pay the $6/mo to get a Google GSuite with your name@fullname.com address instead. If Google locks your account, you can now move your email hosting to another provider and won't lose access to your entire digital world.
Be aware that doing this now means your DNS provider and domain registrar become vectors for hackers to take over your email account, so make sure these are companies your trust and your access to these accounts is as secure as possible (ie strong unique passwords and app-based, not SMS-based two-factor authentication)
You can do this without paying as well. If your DNS provider supports email forwarding you can use that (if it doesnt you can use improvmx free tier) and use gmail's inbuilt smtp server to send emails using your own domain.
As long as you don't want to use any Nest products, which now insist that you have a gmail.com address as apparently hosted domains are for business only.
Hmm, thanks, I'll have a look into that. The objection to nest using "Google for Domains" or whatever they changed it to these days seems to be to do with the domain admin having access to everything. Which would be just fine for me, as I'm the only one that uses the domain.
Hopefully signing my address up that way, when it's already a domain account, won't b0rk all sorts of other things :/
There have been a ton of products where Google didn't initially support that but eventually added it. Maybe Nest will one day.
Obviously their sign-in/account infrastructure creates technical impediments against making their products do what they want. They should really fix that.
Related to your warning, the story of that guy who lost his @n Twitter account because of that[1] (even though I think it still reduces the impact radius because until your password gets reset you can still access the service)
Depends on where you are. If you're in the US, sure, there is at least the theoretical possibility of legal protection against misuse. If you're elsewhere, they're not very different, and Yandex at least doesn't already have a million other data points about you to connect with this and build a bigger picture about your life.
The issue here isn't privacy but independence from a specific provider. If privacy is an issue as well then you should be using encryption as emails are not private.
It doesn't have to be fully trusting or not at all, there's different levels. I think using a provider you trust more (In my case Fastmail vs. Google) is a fair tradeoff. Fastmail has a pretty straight forward business model that makes sense to me so I feel like they don't have a reason to scan my emails for ad purposes or else.
Of course if you are worried about some nation state looking into your emails you should encrypt them and use whatever provider.
I have attempted to read two articles on your site. As I am a privacy-focused person the articles were of interest to me. Both times I haven't gotten past reading the opening sentences when an obnoxious pop-up appeared asking for my email address. It seems ironic that someone publishing articles on privacy advocacy would be so keen to collect my email address. This practice also creates a real miserable experience and I have simply closed the page immediately both times. If someone is interested in subscribing to your newsletter why not simply provide a link for them to do so at the end of an article?
Email addresses are not public in general. They are not supplied to every site you visit automatically, and should not be manually supplied to every site you visit either. Whether it's a unique per-site address or not, it only makes sense to give it to people/organisations you want correspondence from. Therefore, sites that ask for it when you start reading an article seem really sketchy.
I'm definitely not a power user, but I see and understand the issues.
But for someone like me, if I take all this advice, there is still the aspect of trusting the domain registrar, maintaining a personal email server, hosting, CloudFlare, etc. etc. I have just shifted some risk of offending Google to some other risks of 3x more companies that I have to remember how to deal with now.
So what difference does it mean to me, average user, that I just stick with Google and don't misbehave, versus open myself up to having to deal with 3 other manual processes and companies to remember? It's turtles all the way down.
Lately I try to avoid submitting my own website, per the HN guidelines discouraging promotion (the one exception is when I find a submission to be time critical). I only link to my own site in threads where it's directly and precisely relevant, such as this one.
If you found it valuable, you should submit it yourself. I'm not interested in the accumulation of updoots, feel free to get 'em. :)
I'd rather other people decide what subset of my writing is relevant to HN, as I'm no good at it: I'm too close to the work. (I only write about things I care a lot about.)
But the article is very well written and would be a shame if we didn't got other opinions here in HN, kudos for you, already added it to Pocket for later
I use different services for different things. I have 3 email accounts at FastMail and 6 at ProtonMail. Also, some of it is inertia: I've hosted the MX for sneak.berlin at FastMail for several years (and have prepaid some time into the future), and have only been using ProtonMail for about one year (and the HOWTO article is recent).
The fact that FastMail might be subject to the new Australian crypto key escrow law[1] is a little bit worrisome, and I may not continue to use them in the future depending on how that plays out.
For things where surveillance is less of an issue, I prefer being able to use a plain IMAP client, which ProtonMail does not support. Their current iOS client is pretty lame, for example (although their web client is better, and I understand that their next major release will improve things a lot across the board). I mention the IMAP issue in the article.
That in short, the A&A bill is about breaking end-to-end encryption, which Fastmail has never had anything to do with. It’s scary-sounding legislation, and I reckon it’s misguided at best, but it honestly doesn’t affect all that many businesses [note I’m saying businesses rather than people; many affected businesses will be among the largest ones, serving consumers], because end-to-end encryption of communications is uncommon, because it’s so frightfully inconvenient for all parties involved, because now the server is necessarily dumb and the client has to do a lot more work, and things like searching are typically just altogether broken because you’ll need the full index on the client to do a search.
(And specifically of the domain of email, I wouldn’t trust first-party encryption; if you care about governments accessing your data, first-party encryption such as ProtonMail offers is almost equivalent to no encryption if you can’t verify the code that is running, since that party may be compelled to backdoor the code to steal your password. This is one of the many reasons that Fastmail has never implemented PGP, ⅌ https://fastmail.blog/2016/12/10/why-we-dont-offer-pgp/.)
There are alternatives to GSuite -- for instance, Fastmail. Or even the old PObox.com service which has been around since the 90s and is really cheap (Fastmail have bought it now, I notice).
Fastmail is very good. The web client is pretty simple, but feels so darned responsive (as in fast) compared to what I was used to from GMail. And spam is so far a non-issue.
Or, host your own on your own metal, to avoid depending on any third party. Alternatively, if you are ok with semi-dependence on a third party, get a $5/mo Linux VPS, and host your E-mail there.
With your own Linux instance, you can host whatever you want, have full control, can host other services too like www, git, whatever, and have the assurance that you're not going to suddenly lose access because AI-BOT-204432 decided you violated some obscure terms of service. I've been doing this for close to a decade now (exim + dovecot for E-mail), and it works great. Back in the 90's, this used to be the default. How did we end up in this world where we so utterly rely on 3rd parties for such everyday critical Internet services?
> How did we end up in this world where we so utterly rely on 3rd parties for such everyday critical Internet services?
The same way we ended up in a world where we so utterly rely on 3rd parties for such everyday critical services as growing our food and fixing our cars. There's too many things to do for everyone to do them all on their own.
Well, at least you don't lose everything. Worst case you lose access to a few emails you got in the time between begin locked out of your Google account and when you set up another email provider, and assuming you configured IMAP and use something like Thunderbird or K-9 as an email client (which I highly recommend) you should have a copy of all your email on your device (seriously don't use the Gmail app on Android, they even display ads in your email categories.
I like GMail for their spam filtering power, and I honestly believe spam to be email's biggest weakness, and the reason people don't host their own. It certainly scares me, the thought of being flooded with thousands of spam emails daily, or the chance that my own emails would be falsely marked as spam since I'm not part of the major providers or because I did not configure it correctly. Don't know how this can be solved though, email itself is too permissive, and too "tweakable".
You can export all your email in a single .mbox file.
This might not work if your account is suspended, but if you set up email forwarding to an alternative address (e.g. to protonmail) that might still stay active so you can transition your addresses.
They do now (although you only have 7 days to do so I think).
It also depends on the reason for the block - if for example they suspect you of having illegal content (child porn) in your Gmail, you aren't allowed to takeout it.
The GDPR (in Article 15(4)) states that the right to obtain a copy of your personal data should not ‘adversely affect the rights or freedoms of others’. This means that when responding to an access request, the controller should consider the rights of third parties, such as their data protection rights, trade secrets, or intellectual property rights such as copyright. This could arise, for example, where your access request relates to a record containing both your personal data but also the personal data, trade secrets, or intellectual property of others.
A balancing of rights exercise would need to be conducted by the controller to balance your right of access your personal data as against the identified risk to the third party that may be brought about by the disclosure of the information. The GDPR notes that these considerations should not result simply in a refusal to provide all relevant information, but the controller should endeavour to comply with the request insofar as possible whilst also ensuring adequate protection for the rights and freedoms of others.
Google doesn't let you Takeout when you don't allow Google to track your browser. It will give an error to "please use a device you regularly use" even if you can see in your account that there are no other active sessions that you could possibly make use of. I tried a few hours later with the session still open but no dice. Guess I'll have to find a human to talk to at Google in order to get my data pursuant article 15, GDPR.
I have very little hope indeed that they will let you do a takeout without finding a human to talk to when your account is locked.
For what it's worth, Facebook does let you do this. You login, get a message your account was banned for no apparent reason, and that you can download a copy of your data. Unfortunately it's broken (screenshot: https://dro.pm/a.png) but hey, there was an attempt.
There's this thing called principle. It's not that we do something because we believe it's going to work. We do things out of principle because doing the right thing is the only rational alternative; because, if everyone held the same principles, then the problem would be snuffed of oxygen.
Or register a domain with Gandi and they provide a free email service to you. Only two free accounts (with "unlimited" aliases), but that should be sufficient for most personal uses.
I meant using TOTP (app-based) two-factor authentication for securing your DNS provider and domain registrar accounts. The reason for not using SMS-based two-factor authentication is that it is not very secure https://techcrunch.com/2016/07/25/nist-declares-the-age-of-s...
I'm not aware of two-factor authentication for SMTP or IMAP.
I don't understand how that's any more secure than just using a strong password for the account. At some point, you're going to have to make that password accessible to the client. Plus, it's arguably less secure because the account now has multiple valid passwords that will work for authentication, and, based on your description, there's nothing that prevents someone from using the exact same password over a netcat session from accessing the account.
The confusion seems to be about logging into your account on the web versus using a mail client like Outlook or Thunderbird.
Pick a service that lets you use a long password and a security key (like Yubikey) or authenticator (Google, Authy) to log in.
Most services will then let you generate a specific password for an email client. I would assume that behind the scenes that the service is restricting what ports that password can be used on, etc.
> I would assume that behind the scenes that the service is restricting what ports that password can be used on
Assuming it's a device accessing the service over IMAP and SMTP that can access multiple networks, restricting by IP and/or port won't really help. As I noted in my other reply, it's easy enough to script access to the account if have the password and there's no real association between the application and the credentials that are used for access.
My problem with the get your own domain and DNS is its far more likely I become incapacitated and become unable to pay or manage it than getting locked out of gmail or outlook mailboxes.
Is it? You can register for 10 years at a time and then keep that topped up, as well as setup autopay pointed at a bank account with as many years of funds as you'd like. At some point the likely limiting factors shift to other things. Even the most reliable longest lasting registrars could in principle go out of business or get bought, but then again Google could decide to radically alter or discontinue services at some point too (as they indeed frequently have), or get broken up or who knows. 10 years is quite a while. And while nothing about business dealings is completely certain, someone paying for a domain a revenue generator with potential for more, so even if a registrar was acquired they'd have strong incentive to try to roll over existing accounts barring active objection.
I don't know your personal circumstances of course, different people may very reasonably make different calculations. But I have more trust in a quality registrar and my bank then in Google under the most likely scenarios where I'd still care (long comas aren't impossible to come out of, even multi-year, but chances of just partial recovery plummet after even a month or two let alone full recovery). I think Google being capricious or making a mistake is a bigger concern, if only because there is almost zero chance of recovering from it (basically have to know a well placed Googler or manage to go viral or be a big enough presence to get their attention). Domains and finance in contrast are both full of competition and portability.
$6/month doesn't sound like much... Till you realise you'll probably have this setup for 20 years, and suddenly it's $1200. That's a lot to protect against a thing that will probably not happen (account being banned)
> That's a lot to protect against a thing that will probably not happen (account being banned)
$1,200 is a lot of money, but... anyone aged 23+ is older than Google. 17+ is older than GMail.
It is an illusion to say we know what will or will not happen to Google over the next 20 years. We don't know how entrenched the tech giants are over decades because we've never had anything like them before.
This is a problem that is obviously not going to happen in the next 12 months. But if a person don't control their email address, they shouldn't be using it for anything that it would really hurt to lose.
> It is an illusion to say we know what will or will not happen to Google over the next 20 years. We don't know how entrenched the tech giants are over decades because we've never had anything like them before.
Realistically we have little control or have any clue on what's going to happen a few years out in almost every aspect of life.
Look at Kodak (the photography company). They were around for over a 100 years, then digital photography came along to disrupt their market and they pretty much disappeared in a few months.
Kodak and Google aren't that different as being a company that offers a service that tons of folks use(d). Kodak used to be "the" place to buy film and get photos developed.
I'm all for controlling your own email (even tho I'm guilty of not doing so), but I think even if you controlled your own email, you'll still be victim of the company you're using maybe going out of business in the future. I wish nothing but success for Fastmail or any other email service that lets you control your email, but if they go down then you're in the same position as Google going down while using gmail.
>Look at Kodak (the photography company). They were around for over a 100 years, then digital photography came along to disrupt their market and they pretty much disappeared in a few months.
Kodak was well aware of digital photography, arguably one of its pioneers. What killed Kodak was cellphones. Kodak was too dependent and attached to making cameras and camera-related equipment. Most people did not need separate cameras once cellphones came along (even the 'dumb' models have a camera), so Kodak had nothing relevant to sell... Doubtful Google could be so stupid. Maybe if the Feds separate gmail from Search there'll be problems?
>I wish nothing but success for Fastmail or any other email service that lets you control your email, but if they go down then you're in the same position as Google going down while using gmail.
Keeping all your mails locally is not difficult if you use a mail client rather than a web client. Copying to a local folder every once in a while is a one/two click operation in typical clients.
I pay for gsuite for myself and a couple of my domains. Call it $12/month, because you'll want to setup two accounts:
* The admin-user.
* The daily/real-user.
In my case I have my real account "steve@steve..", and "admin@steve" which is the gsuite administrator. I only login to make changes to the domain setup, never to send/receive email.
It's annoying to have to pay for that second user, but I feel happier with the privilege separation in place.
I registered steve.org.uk in 1999, and steve.fi last year.
(I moved from UK to Finland, so I checked the .fi version on a whim. Luckily it was due to expire a few months after I checked, so I setup a script to register it the moment it became available.)
example.com is good because it is explicitly reserved for this purpose and has no MX records.
Although very occasionally a service will check for MX records, but that is incredibly uncommon. My go-to email for public WiFi is fuckoff@exmaple.com and have only been denied once (<1%)
A fair number of places will deny that, but I like to think it sends a message. I'm not sure how many, if any, domains still have a working webmaster@ address though.
It should be possible to enable Cloud Identity Free on your gsuite tenant. So you can use a free identity account for your admin account and only pay for gsuite on your main email account.
I've been using name@name.tld for a long time now, I realize the repetition reads a little oddly but I've never cared enough to switch to anything else.
I guess I should have started using forname@surname.tld to make it all nice and neat, but I've no desire to change now.
Tbh the biggest benefit I see in such setup is the freedom of directing your email wherever you want. I wanted to quit Google 4 or 5 years ago and just having to redirect my domain to a private host rather than having to change my email address entirely is the one thing that made it possible
There does seem to be a need for Google to clarify their rules for "banning" an email used for sign-in.
It seems like things should be more granular, such that being banned on YouTube doesn't make your thermostat quit working, ruin your phone contacts/photos/etc, or cut you off from your unspent AdWords funds.
It's worse than that : considering the importance that YouTube has taken, for some people being banned from YouTube might be considered to be akin to be banned from exercising their profession, or even just be able to be a full-fledged citizen.
Remember OpenID? Yes, that's what it was for, OAuth wasn't never meant for signing in other websites who just want your mail or something... Of course, all these big tech corps quickly dropped OpenID, they don't want people to control their online credentials or identity...
OpenID hasn't died at all - it's just used in a different context. We implement this now for SSO in corporates to unify fragmented IAM scenarios.
Accepting any domain as an OpenID IdP is not likely to be a feature of publicly facing sites, as they still provide the ability to create / register / use these accounts for spam and other unwanted abusive purposes.
Really, I think OpenID died because it didn’t see significant enough adoption. I remember the user flows being a bit clunky, which certainly didn’t help.
With OpenID, basically everyone used a third party ID provider, and so you were just as dependent on that provider as with OAuth. Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world. If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”
If OAuth was never meant for signing in, then putting Auth in the name was a funny choice. You add the qualifier “websites who just want your mail or something”, but I’ve never seen a single mailing list sign up that used OAuth.
> Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world.
You could pay someone to host it with reasonable guarantees they won't delete your account on a whim and no recourse.
Or you can use a free service that you somewhat trust with your own domain, so you can point the domain to another provider if you need to. Almost no technical knowledge required for that.
> If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”
Same for email, which is what identity relies on instead of OpenID.
And self-hosting OpenID is much easier than email: you just need domain + LAMP (or equivalent), and don't have to deal with DKIM, SPF, being blacklisted from Gmail/Hotmail, ...
> You could pay someone to host it with reasonable guarantees they won't delete your account on a whim.
Each user having to find a hosting provider and pay them... it seems like a non-starter. Think about the non-technical people in your life. That solution would only help the very few people who both understand the details of OpenID, and care about the possibility of losing account access at a deep level. Most people have other important stuff going on in life, so good luck convincing them to adopt self-hosted OpenID at greater cost (and effort) to themselves.
This is even assuming that the hosting provider also acts as a domain registrar so each person doesn’t also have to figure out how to buy and own a domain name, to truly own their OpenID, because that would either make this solution much less meaningful in terms of control (with no custom domain), or make it that much harder.
> Same for email, which is what identity relies on instead of OpenID.
I’m not here to argue for self hosted email. There are many email hosting providers that make it relatively easy for you to bring your own domain name... but this is irrelevant. Signing in with an email and password continues to work even if the email account has been suspended. So, it’s not the existential threat that the article is concerned about.
I think the more realistic solution for users is the new FIDO2 standard that will hopefully see adoption soon.
I think Google has done a similar thing on Android, but Apple has for sure made every (up to date) iPhone, iPad, and Mac able to act as a FIDO2 Platform Authenticator.
Even if the user signs up via OAUTH, websites can give the user the choice to sign in via FIDO2 on each device. At that point, users could sign in from those devices even if their Google account were suspended, giving the website a chance to help the user migrate their account authentication.
The FIDO2 flows seem very user friendly, but... the standard is so new, broad adoption remains to be seen.
That is why basically every implementation provided a big "Log in with Google" button. It was basically no effort to implement (it just fills in the Google OpenID URL) and solves the problem of the people who don't have enough distrust in Google to self-host.
Has there been any retrospectives or published thoughts around why OpenID failed? Ideally a extensive, impartial report would be nice to read through.
While it's easy to blame big technology companies for the failure of open standards, there might be other reasons behind it (as well as companies trying to prevent it from succeeding)
OpenID failed because you had to sign up to an OpenID provider and then copy and paste some weird URL from there into websites you wanted to use.
Why would anyone bother with that hassle when you can just put in your email address (that you already have & know) and a password.
In contrast, OAuth succeeded because most people already have a Facebook / Gmail / Github account, which meant that sign up just becomes clicking a single button which is easier than email signup.
OpenID was more difficult than email signup, whereas OAuth is easier.
Perhaps the courts could be helpful here. A long-established Google account has significant value to the user. If Google terminates such an account, value is destroyed and damages are incurred. You should be able to demonstrate the value of the lost account to a court and demand restitution from the host.
If successful, this would impose a cost to Google for shutting down accounts capriciously and incentivize them to do better.
This would be a challenging lawsuit to win. You’d probably need support from an organization like EFF to manage it.
Honestly it'd be hard for any 3rd party accounts to make that claim except Google, Facebook, Microsoft, and maybe? Twitter and github?
At one point I was signed up in over 300 places using my Google account. Eventually the thought occurred to me, "what happens if I get locked out of this account?" And I don't really mean shutting it down. I lost a Microsoft account with over $3000 worth of purchases and 10 years of history, because I lost access to the recovery email address it used. So since then I've made sure to "spread the risk" so to speak.
Through 2 years of effort it is now only a handful. Some of them remain because either a) there's no other way to sign up or b) there's no way to convert it to an email based account.
But still - that's 2 years. 2 years of weekly, sometimes daily, moving yet another thing off that login (but it still uses the email! that's the next step -- kill the email).
The level of effort has been gargantuan. For some people, it would simply never ever happen. To lose a Google account would not only be damaging, it would be like your entire life being erased.
The level of damage here is enormous and Google has to take responsibility for the power it has amassed.
If they want to terminate all free accounts, it'd be a wonderful thing. Either people would finally be free of the behemoth, or Google's incentives would change to finally care about users (well.... hopefully).
I doubt it. These lawsuits would be few and far between and Google still derives a ton of value from its free accounts in the aggregate. They might just get better at terminating the right accounts...
I recently got locked out of my Amazon account. While trying to get it unlocked, I faced one of the worst experiences with Amazon customer team. I even reached to Jeff's email, but no reply. Finally, I have to file an official complaint in the consumer court to get my account unlock. All of these event took around 14-15 days. During these days, I was suddenly unable to use my Echo, Prime video, Kindle books, readwise, and prime now services. I never really tried any other competitor service before, and was solely reliant on Amazon's offering. That time I realized the amount of power such single sign-in yielded. I can only imagine what happens when you use it for every service via a third party and use it daily, only to suddenly see it lock you out. I hope there's a better way to login in the future, maybe something like trusona or magic
PS: I did not do anything wrong but still suffered lot of psychological pain due to this mistake by Amazon's internal security.
We also offer multiple third-party signup solutions for our service in addition to "traditional" e-mail based signup. For every service we retrieve and store the users' e-mail address on our server (we also need that to e.g. send out invoices) and enable e-mail based login and password reset/generation by default (you can disable it or add 2FA), so your account will not be lost just because your OAuth provider blocks your credentials.
I think it's to protect against the Identity Provider revoking access to the service you're dealing with rather than them blocking your account.
We saw this recently with "Sign in with Apple" and Epic Games, where Apple denied access to Epic and the accounts that did not share their actual email were effectively lost.
> Apple previously stated they would terminate “Sign In with Apple” support for Epic Games accounts after September 11, 2020, but today provided an indefinite extension.
That's great, but I'd wager that a majority of users that use Google login are doing so @gmail.com, so their email address is also toast if their Google account is suspended.
I suppose you, as a site operator, are doing all you can do, though.
I had a similar problem. I used Google to sign in on digitalocean, then I changed the main domain in google apps and readded the original domain seperately on Google Apps. But probably because some kind of ID mismatch, I was now unable to sign-in on Digitalocean with the original e-mail address recreated in Google Apps. Password recovery didn't work either, for some reason digitalocean doesn't do password reset for accounts that were created using Google sign-in. I was forced to create a support ticket with digitalocean and wait.
They probably put a human to communicate with you, verify some identity and then give you access to your servers again, I'm sure?
Compare that with Google (and Facebook, those are the two I have experience with) who will simply lock you out of your account and if you ask for help, they say they cannot. "But what about the three years of photos I've stored?" I asked. "They have now been deleted since your account was terminated" they told me. "Why?" "We cannot tell you".
For the average user, with poor password hygiene, I'd advise them to use a federated identity option that is more likely to have a decent password - they are more likely to have a good password for an account they care about.
I think the conclusion of the article is flawed. I think the risk of getting locked out is far lower than the odds of any single, or even all of, other (non-major tech co) website you might join getting breached. It's fair to argue the impact might be less also - and I'm happy to have this debate.
In my experience, typical users aren't the ones that get their google accounts banned - they are always banned for doing something significantly more sophisticated.
The truth is you should not use Google login to Google services either. You get the service promise you pay for, none. If their secret algorithms decide that you are in breach of whatever ToS, they will lock you out. Not very likely for the average user. But more likely for HN reader who might experiment with programmatic access to the services or do other atypical stuff.
I'm honestly not sure where we went so wrong as a society so as to reach this point. Whether it's overzealous AI or the AMPification of the web. Google act with impunity and without remorse, every action designed to further their goals and agendas without respect to humans caught in the crossfire.
If Google can, without due process and fair warning, remove your existence then this is a power that should be delegated to the relevant authority, namely the "justice" system to make such considerations.
If your house could be removed at a whim because a bot decided you were a bad person it would likely cause an uproar, it wouldn't be tolerated.
Yet here it is. Google can offer their services and the legal system seemingly doesn't want to be involved.
The speed of technological development is faster than the speed of societal or legal development.
So yes, right now we've woken up in a world that is not so much cyberpunk as it is techno-feudalism: more and more do you need a presence on the Internet to do things in meatspace... And that presence is by the grace of several feudal lords (Google foremost) - woe betide you should you ever displease them. You do not really own your email adres, your phone (number) or (pretty soon) even your computer. You're merely a serf.
On the plus side, the momentum for legal measurements seems to be increasing. Let's hope they do get broken up. Power, like plutonium, is dangerous if too concentrated. Regardless of where that concentration lies.
Techno-feudalism is exactly what cyberpunk novels were describing. They were dystopias. They were warnings about letting corporations control everything.
True, but so far we just get the bad things (corporatocracy and the the gradual hollowing out of individual liberties) and none of the good things (gene-hacking, neural uplinks, and matrix-avatars) that cyberpunk promised. I demand a refund!
This isn't even a tech problem. It's a lack of regulation to give recourse for individuals and lack of ability for them to be treated fairly by businesses.
We need to treat companies that put themselves into a position like utilities as utilities. Give individuals actual transparency of why actions where taken, and an ability to appeal these decisions with transparency.
It will cost more, but that is ok. What we have now is that the actions have caused real harm and the companies are unwilling to justify them. That's an abuse that needs to be removed through law.
I worked at Microsoft for several years about a decade after they lost those famous lawsuits and I can tell you that the company culture around monopoly power and user rights was incredibly well defined. The company was absolutely paranoid about doing anything ever again that would create that set of lawsuits and from what I can tell, in the 8 years since I left MS, that culture is still alive and well. It's probably why MS is the only company I still feel comfortable doing with, among the "tech" companies.
The hard slap they got from the government was enough to apparently permanently change the company culture around treatment of users and other businesses.
I see a lot of the excesses we see coming out of Google, Twitter, FB, to be a consequence of there being, well, zero consequences for their behavior. They're like petulant children who never learned limits and think it's ok to do whatever they want, no matter who they hurt. That's exactly how you teach children -- give them limits. Ironically, the same rule applies to adults.
Laws that provide meaningful mechanisms like this would also be a good signal to keep companies from being in such a powerful position. That is good for everyone.
I like the term "techno-feudalism" - captures the increasing nationalism over things like technology sales to China by the US etc too, the Tik Tok situation...
Kindle books were actually pretty good, back when they could reliably be liberated. Unfortunately, that's no longer the case.
In general, I think that's also a point we can draw from the cyberpunk genre, or maybe from Harry Harrison's old-school prefiguration of it in the Stainless Steel Rat series - the eponymous creature being one well suited to thrive "within the walls" of a society increasingly sclerotized with technocratic bureaucracy, but perhaps equally suited to a life of gnawing through the circumscriptions imposed by competing technofeudalist fiefdoms.
Off-topic, but legitimately purchased Kindle ebooks can still be quickly and easily liberated for the purposes of DRM-free personal backups of owned content. I won't comment on whether Amazon find this acceptable, or if it is legal in any given jurisdiction, but it is definitely possible.
Those discs aren't going to do you much good if you don't have access to or have had access to PSN, since most games ship with a huge day 1 patch to fix all the issues between going gold and the date of sale.
Movies/Music/Books can be displayed and played back on damn near anything. Games, especially modern games, exist in both a variable state (constantly revised/updated), but also with a much more limited ability to access the content.
I lost a small number of games due to PlayStation support not being able to get around the fact that although I purchased some of them via PayPal, I also bought other games with a credit card. They could verify I owned the actual account and I answered all security questions but they still wouldn't fix whatever issue I had (this was at least 5 years ago so I forget particulars).
That experience forever turned me off to relying on digital-only.
To your points, having a PSN account is necessary but I can always create a new one if need be.
Whenever possible, I prioritize non-DRM media for purchase.
I once used to buy digital movies on Amazon and thought it was a great experience. Until my first vacation in Canada where I discovered I couldn't watch my movies. I called them and they said that my movies were region-locked to the United States. To their credit, they did refunded all of my digital purchases. I haven't bought anything digital from them since.
So, not an Amazon account ban, but you quickly learn you are not "buying" a movie, but renting it, sometimes with silly restrictions like "only from these IPs".
I'm having trouble understanding your point. Leaving aside simply googling it, surely you can't be saying that because you haven't heard of something, it doesn't exist or isn't a threat or isn't worth any concern.
Considering I have heard, and regularly hear of Facebook and Google account bans, my sample size seems large enough to conclude that either amazon account bans don’t happen, or nobody cares enough to make angry posts about it.
It’s still a concern because of the mechanics of the thing, but it appears less applicable for amazon at the moment.
That exact "logic" is extremely common in journalism, as well as on most social media platforms including this one.
If you think about it, this shouldn't be all that surprising - after all, this is exactly how intuition works, and the human mind runs very much on intuition, people just don't realize it (at the object level).
It doesn't have to be an account ban. I've recently started playing games on my old Nintendo 3DS again and discovered that I've lost my Nintendo Network ID password and closed the associated email account. That leaves me in a state where I can't log out of the account on the console without losing the associated digital software licenses.
Not that that's Nintendo's fault but I think something like this will be the fate of every account that's not used, closed or deleted for a long time and owning your data and software possessions would protect against it.
Thank you, but none of my ideas are novel in any way[] and there are far better writers than me already expounding the same points, no need to add to the noise. Stallman, Doctorow, et al. pretty much saw these developments coming years ago and warned about them.
[] Every person's thinking and writing is mostly just a pastiche stitched together of thoughts they heard or read from others anyway. (And this is, of course, the meme idea, which is not an original idea itself either)
> I run my own mail server but my VPS provider could be coerced to yank it from me.
I've got two comments on this.
Firstly, you're already doing much better than most people. Make frequent backups, and if it comes down to it, you can always point DNS at a new provider.
Second, don't put anything on a VPS that you aren't willing to let the VPS provider or whatever Gov. has jurisdiction access. Where email falls on that spectrum for you is of course your own decision.
There is one more solution. Use a VPS only as an endpoint bastion server. Keep the data and services in your own home server. We need not trust the VPS provider this way. And we can easily recover as long as the domain name and the home server are under your control.
An idea I've been mulling is getting a baremetal server from Exoscale (based in Switzerland) and running a mailserver on it. Haven't done it yet for many reasons, least of which is laziness...and I want to try and create a JMAP server with an IMAP bridge but that's another story.
I liked the term too. If you are large and powerful, you are the law and whatever you say works. Hopefully as society matures we learn to establish some form of rules/laws that are sane and empower people.
But in every society a small circle of privileged people have always been the norm and despite more wider access to information today it seems like consolidation of power and wealth seems to be trending upward.
Rules aren't worth the piece of paper they're printed on unless there is an equally powerful force that can set terms. The problem right now is there is no counterbalancing force.
> I'm honestly not sure where we went so wrong as a society so as to reach this point... Why?
The answer is actually very simple: spam.
AFAIK pretty much all disabled Google accounts come from Google believing they are part of a spam-sending (or malware-spreading) network.
The ability to sign up for free Google accounts means this is a prime target for spammers to use and abuse -- signing up for free Gmail/Drive accounts, as well as using stolen credit cars to sign up for paid ones.
As to why the legal system doesn't want to be involved, it's because incorrectly disabled Google accounts are actually incredibly rare -- they make the news and cause uproar when they occur, but precisely because it's so unusual -- it's incredibly rare to personally know someone it happened to. So there isn't any kind of democratic movement against it because in the grand scheme of things it isn't common. It's like worrying about being struck by lightning.
it's incredibly rare to personally know someone it happened to
I don't know anyone who has a degree in History but that doesn't mean historians are especially unusual. All it means is that my network is quite small.
The same is true here. The fact few people know someone who has been affected by this problem doesn't mean the problem is unusual. It just means there are hundreds of millions of people who use Google and you know a few thousand at most.
Undergraduate degrees are easy to get. Having a psychology degree doesn’t mean you’re a psychologists, a history degree doesn’t mean you’re a historian, and a math degree doesn’t mean you’re a mathematician.
The extremely large majority of people go on to work regular jobs that have nothing to do with their degree and lose much of the information they learned, if it was even substantial at all.
> incorrectly disabled Google accounts are actually incredibly rare -- they make the news and cause uproar when they occur, but precisely because it's so unusual
Or they rarely make the news because they're so common, and the few that get publicised are because the victim raises a big stink on social media.
I've certainly created Twitter and Microsoft accounts and had them wrongly disabled within days, despite not doing anything at all with them, let alone anything abusive. Perhaps because I decline to use my cell phone number for 2FA?
> had them wrongly disabled within days, despite not doing anything at all with them
That's because that's also a common tactic used by spammers -- to register and then do nothing for days/months, on the hopes that an "older" account will be less suspicious.
Nobody's complaining about that though because it's not a problem. No data is lost. Also, I've had it happen to myself (with Twitter) and it was incredibly easy to re-instate.
To clarify, I was referring to legitimate, in-use (with data to lose) accounts being incorrectly disabled.
I think it more common than you believe, and certainly more common than the ones that make the news.
The ones that make the news are people that are either well known, or have and active way to promote their problems through social media or news site
I.e they are reporters, know a reporter, dev of a popular app, etc etc etc
They are Jane/John Doe that has less than 50 twitter followers and a normal every day uninteresting person, for which there is no recourse at all not even social media
Hm. Lawyers love lawsuits about folks struck by lightning? So I'm not sure that's the reason this issue is not a lawyer's forte.
I'd suggest its because its hard to prove or prosecute. Because its technical and obscure. A single case, Google just has to say "Oh sorry; its turned back on". There's no money in them capitulating. And a class-action suit enters into the details of the issue, which are impenetrable to a judge?
You’d think there’d be a very simple solution to this—one that I believe Google already used for a long time, but just never generalized.
That approach: “proof of human work.” Google owns ReCAPTCHA, and every time you do a ReCAPTCHA for Google, you’re doing a little one-time proof-of-humanity for them. But it’s also a proof-of-work; and proofs-of-work that cannot be automated are aggregatable.
In other words, the fact that someone with Google account X solved a ReCAPTCHA, doesn’t just tell you something about who that account is lately. It should add to a sort of “human-proof credit score” for the account, where Google’s systems are more willing to put faith in the user because of all the times they’ve proven themselves human already.
And, for some scenarios, Google does use the aggregate proof ReCAPTCHA represents this way. This is why you’ll never see the Google Search “stop searching so fast” message when accessing Search through Chrome synced to a well-used Google account; why you’ll get a ReCAPTCHA portal from them instead if you’re not logged in (you’re being asked to build the credit score of your IP/session); and why you’ll be denied upfront if you perform botlike behavior through Tor (where there’s nothing that can be correlated to give you a persistent credit score.)
Now, such a “highly-proven” Google account could still be heuristically detected elsewhere in Google’s systems as being responsible for botlike behavior (e.g. spamming); but, when such a highly-proven account is flagged, it should go in for manual review. Because — as you say — this is incredibly rare! So this process doesn’t need to scale through automation, the way regular Google processes do. It can be high-touch.
But right now, it’s not. (Or they’re just not even using the high-proof-of-humanity metadata on the account during this determination.) Either way, that’s kind of silly.
When I got started programming full time, tons of people in the software industry were getting their rocks off on how simple it is to install an Oauth library, making it easy as pie for people to sign in to a web service, thus encouraging more sign ups and making more money.
Maybe we've forgotten just how much of a hard-on we and the entire world once had for the likes of Google. 8 years ago, we would have trusted Google with our entire future. Politicians were on board, too, and have made many deals with Silicon Valley which ended up giving these firms a certain level of immunity.
Your generation might be guilty. But those that came before and after knew better. This is the generation who thought using their real names online was a good idea. That's where things went wrong.
Never in my life did I see an Oauth libruary and think this is easy as pie. Overcomplicated perhaps.
Because a house is significantly more important than an email address. I get being extremely online but let's not be silly here.
Plus that email/account is hardly even "yours" in a serious way. Anyone on the HN has a very simple fix for all these problems: get an email in your domain and a password manager for all the accounts. There, solved. You could even still use Gmail with their Google Apps, G Suite, Workplace or whatever it's called this month.
Normies are way out of luck but sadly that is true almost everywhere and they are getting fleeced much worse by banks, employers, and even cable companies than Google ever could hope.
Put simply, one's house is literally on their own property, and one's Gmail account is literally on Google's property.
If someone owned a vast amount of land, more than needed for everyone on earth to build a house, and the owner told people they could freely build structures but you lose it if you break the rules and the rules can change any time...
I've had a recruitment consultant suggest I use a gmail e-mail address on my CV, because it looks weird to have an address at a domain (my own, and not anything strange btw) that people haven't heard of. Sounds crazy. But try dictating an e-mail address over the phone to a hotel or whatever and see that if you say 'Fred Bloggs seventy six at gmail dot com' or whatever, you never have to repeat yourself, whereas anything less usual you'll be spelling it out all day.
On the technical side, one hears about individuals' domains being marked (blamelessly) as possible-spammers by the big e-mail services, and finding it hard to get messages through. There is effectively some scarcity in legible, desirable gmail addresses.
I agree that it's not black-and-white. It's also not as dramatic as the land analogy suggests. There are plenty of other email providers that are perfectly socially acceptable to use.
Counter point, I’ve been told by recruiting that my email makes me stand out because it’s not the norm domain name and it’s a little “fun” in the sense that it conveys a little light personality.
I'm 100% certain that a number of opportunities I've been offered have been because I proved a certain level of competence by maintaining my own email and domain; this certainty is largely due to the incidence of comments like the ones you note. It's definitely a way to stand out.
>Because a house is significantly more important than an email address.
If you cant pay your rent because no customer can reach you anymore or loose trust in you (because you don't answer) your house is gone shorter than you think.
Telecom regulators see fit to make sure phone numbers can be ported from one carrier to another. I fail to understand why the same mandate is not required for email addresses and authentication services. They might not look to be as important as a house, but their loss can still have quite a significant impact on someone's livelihood.
Yeah, I don't think there's any meaningful way to "port" a "gmail.com" email address away from Google. The entire internet infrastructure is set up so that can't happen, based on the meaning of "domain".
Seems like there's an opportunity there though. If someone could create a platform that would take your address, create you a custom domain, set it up, get your email flowing there (including porting over all your existing email out of gmail), and then helping you move your sign ins to that new address..
That'd be huge. It would also be very, very hard, the amount of infrastructure it would touch.. but doable.
If your house could be removed at a whim because a bot decided you were a bad person
It can.
it would likely cause an uproar,
It doesn’t.
it wouldn't be tolerated.
It is.
Big fat article in the New York Times some months ago about AI deciding that landlords shouldn’t rent to certain people, and the AI often being wrong. Very wrong. Like tagging someone as a convicted drug dealer, when the reality is that person has never been in trouble with the law, and never been to the state where the alleged offense supposedly happened.
We have to stop calling this “artificial intelligence,” because it simply is not intelligent. Humans put faith in machines because were told they are intelligent. But all the evidence shows that at best “AI” is good at guessing.
If we started calling these “artificial guessing” systems, people would treat them appropriately. But that doesn’t buy investors a boat.
> One party is in bed with the copyright owners, the other doesn’t believe that the government should govern
This political model is dated. Republicans are no longer conservative. And Democrats have an ascendant progressive wing that rejects corporate influence wholesale.
They will milk you for your vote but when power is won you will be excluded. Look at what happened last week on the leaked conference call. Progressives were blamed for losing so many house/senate races.
> Yet here it is. Google can offer their services and the legal system seemingly doesn't want to be involved. Why ?
The real question is why do people use Google to sign in to other services? It never even crossed my mind no matter how long I have had a Google account.
The authentication service should ideally be under the control of the user. At least, the user should be able to choose one that they trust. I doubt it's an accident that current authentication systems lack that choice.
One could even eliminate those same tasks (not wanting to remember a new password, and not wanting to use a password manager) by setting an unmemorable password and doing a password reset using a Gmail address every time they want to log in. "Log in using Google" basically does that same sort of thing but without the tedium of all the clicking/typing. The mechanism is much different but in terms of dependencies it's really the same.
That incident looks like incorrect data in Google Maps but also incorrect behavior by the company tearing down the house. It also was complicated by the fact that this was post-tornado and normal signage was likely not present or reliable.
> If Google can, without due process and fair warning, remove your existence then...
... you have clearly not understood that you should not have trusted them in the first place.
Yes, I have a Google account myself, but I try to use it as little as possible. My main reason for using it is the Play Store and I agree that it is unjust, that Google can remove my access to products I have paid for without really justifying for it in the sense of most people.
So I agree that something should be done. I think the line should be where paid services are offered. So if you just use a free service, Google(or any Company) should be able to stop providing you with that service whenever they like (while still providing you with access to the data you have generated or used with the service).
However, as soon as they have charged you, they should be forced to pay you back the whole amount (or offer some other kind of mediation that is more meaningful than receiving answers like 'Computer says no').
Google is a profit seeking business entity just like many others and hence will do whatever they can to advance the interest of the company and its shareholders. It would be nice if companies had moral responsibility and societal accountability however that’s seldom the case in USA. The role of taking care of the people belongs to the government. Companies have choices but no obligation to do what’s best for you.
If you are using a free e-mail service ran buy one the worlds largest and most powerful marketing companies as the identity / auth provider for your critical services and applications you should seriously reconsider your choice.
To paraphrase your comment: I'm honestly not sure where we went so wrong as a society so as to reach a point that we get mad when a service we do not pay for, ran by a selfish company decides to shutdown our access.
When companies acts too amoral we create laws to stop them.
Edit: The point is that it is usually in companies own interest that we don't create laws restricting them, so they typically don't act too amoral. You wont find many companies which goes after every single legal loophole they can abuse, as negative public sentiment builds up laws will form and the company will be much worse off than if they just did the slightly less amoral thing.
One aspect might be that the part of the legal system that would deal with this is assuming that the parts that deal with fighting with monopolies, lobbying and regulatory capture are working just fine ?
It is already bad, that we need jurisdiction for such things in the web. I think we actually need such things to happen more often, so ppl can finally vote with their fest a long time ago for some freedom against a tiny bit of convenience. I think what we lack is a decent amount of social pressure.
What we need is the largest tech companies broken into smaller pieces.
The de facto monopoly of most of these players exists in their cross-border market share, making enforcement under traditional antitrust law in any one country difficult.
Unfortunately, it's also something of an international zero sum game due to efficiences of scale -- if the US breaks up Amazon, Alibaba gains world market share, and we're back in the same place.
The most effective remedy I can think of offhand is government involvement in a special, independent branch of the company, dedicated to increasing interoperability and exposing services, empowered by legislation.
If we're going to have monopolies, at least they can be open ones. E.g. 18F + Google Takeout, backed up by regulation
The soul of the current internet is intrusive, tracking advertising. In Real Life we have fundamental structures such as identity that have not translated to the internet. In the world of advertising everything can be fake and there is no trust. We need a new soul. :-)
>>I'm honestly not sure where we went so wrong as a society so as to reach this point.
As with all things, Education is where we went wrong as a society.
in this case failing to teach people fully that there is no Free Lunch, and if you are getting something no cost to you, then you are no longer the customer, who ever is paying for the good or service is the customer (people should also pay attention to this truism in other area's of life)
In the case of google, you are the product, you are being sold to advertisers, google gives you a very very very small piece of that revenue in the form of a "free service"
Legal services can get involved just fine if you file suit. You'll just have to establish that Google owed a duty to you (by contract or otherwise) and that you were harmed by their breach of that duty.
The point of the comments here is that $BIGCO is outside of the law from a risk measured standpoint (ie: they’ll bankrupt you if you fight them given their bigger bankroll).
I think that's likely mythical thinking, and not something based in data. It's fairly common for plaintiff-side lawyers to work on contingency when they believe you have a case.
Less likely here, given the somewhat unexplored territory, but still, the history of class-action litigation evolution is largely of lawyers/firms taking a chance such as this.
"It's technically possible for you 30 Spartans to defeat 100,000 Persians so go ahead, good luck" doesn't sound like a winning strategy.
I think the overall point here is to have the support of law that says they DO have a duty to you, by benefit of their hosting your account and authenticating you elsewhere.
Then, WHEN someone goes to sue them, the person has much stronger legs in court rather than lone Peggy Sue trying to defeat Google's 300-strong team of lawyers who exist just to eat little guys for breakfast.
It's not removing your existence. It's removing your access to all of their services.
At every point, google users are asked to acknowledge the EULA and TOS. They're being told that google can stop their service for any reason, including that service not being comercially viable. ( I.E. Any Reason )
Access to google services isn't a right. It never was, unlike the property rights you're drawing a false equivalency with.
Do you not see this as a problem? With the amount of services Google offer, losing them can be devastating; photos, emails, Android backups, contacts and so so much more.
This pandemic has been reliant on emails to access services; it's how I get my payslips, talk to my employer, get current information, engage with legal services, and essentially maintain my access to society.
Losing my emails would be devastating (hence why I don't use a "major" provider, at least less risk that way).
We need to define what "rights" are and weigh that interest in society. If Google wants to be a "one stop shop" it cannot, and must not, be immune to laws and the rights of individuals to challenge decisions.
No, it's not a problem. It's your problem if you become entrenched in their (or Apple's / FB / whatever) services.
I have a google account to test my devices / emulators. Never logged in gmail with that account, never will. If they cut it off, I can make another.
Same with Apple. I have an Apple free ID for running virtual machines with MacOS / iOS and that's all. I tell my customers to create their own Apple ID and I deliver them the sources + dev environment and they make their own binaries and publish on Apple store. My job is done once I make the app run on emulators and I tell them from the start of the project this.
I have a FB account to talk on FB mess with parents from school and that's all. I don't even have them as friends there, I am just in 3 lists and that's all.
Also i use protonmail currently as I've started migrating from yahoo 2 years ago (old e-mails still there, I open that e-mail like once per month).
Do the same, you'll be free. Also you can use an e-mail account outside of google domain to actually create a google account, if you really need one.
Off topic but Facebook’s developer portal has a create test user capability that works pretty well. I don’t use Facebook either but if I need it for work I create a Facebook with my work email.
I do not. Becoming dependent on a large e-mail provider is only because of continued willful ignorance.
Better education for how digital services work and how to properly handle your digital identity is the right way to handle this. Implementing regulation and cementing the "major" e-mail providers who have the resources to comply will only deepen people's dependence on these corporations.
So what do you propose then? How do you "properly handle your digital identity is the right way"?
Do I have 15 emails addresses with 15 different providers? When a form asks for my email address I can only give one, what happens if that provider goes away?
What if a government doesn't like $provider and seizes the business? Now I can't get a reset link/change my password/prove my identity...Many government online services ask for your email these days, so you don't really have much control over that. If you said I am joe@blogs.com and blogs.com dies, you're toast.
You went from dealing with being banned by google to the general case of an e-mail provider disappearing. This is different. In one case you have control ( choosing not to deal with google because of their arbitrary judgments when it comes to account termination ) in the other, you really don't. ( Random calamity that befalls your email provider ).
If your email provider goes away, you're screwed. Nobody accounts for this situation. Doubly so when you used an identity provider that has gone bust.
The question is, how do YOU imagine imposing regulations on mail providers will change anything in a case like this?
Store your credentials, make backups of your emails, don't use identity systems. If things really do go bust, you'll retain access until you can get manual changes made to your accounts.
The other obvious solution is to have identity/e-mail built-in as part of citizenship and be gauranteed by your government.
Register your own domain and point it at your preferred service, if you lose access to that service you still retain the domain and you still have your email address.
If you want to solve this problem you have to spend some money somewhere otherwise you are simply demanding providers give you services, for free, forever, not something that seems realistic?
But can't the same problem happen if you, somehow, lose the ownership of your domain? I mean, I don't know what the actual assurances are, but if there is any chance that you may lose access to your domain (for causes other than forgetting to pay to renew, ofc), even temporarily, that would be the same as being banned from Google.
Or even worse, because having your Google account locked means you can't use it but noone can use it either; however, if somebody now has your domain, they could be able to impersonate you.
I think that is very very uncommon and when it does happen there's usually some kind of legal process involved. In other words I don't think you're going to have your domain yanked away without some reasonable amount of warning and ability to dispute.
In the worst case scenario you'd have time to setup a new domain and move everything over. Annoying yes, but again extraordinarily rare.
Consider that our lives are increasingly complicated. What an adult is expected to know and understand has grown to the point that 16 years of formal education are required.
As email's importance approaches a utility like physical postal service it's reasonable to expect some regulation. So long as the regulation is independently developed and balances the needs of consumers and producers then it shouldn't be too burdensome for competition to exist.
In the worst case taxes could pay out to whichever provider one chooses.
I don’t see what’s lost if Google disabled my account. Yeah, photos, emails and similar but that is not really life changing.
I’m not saying it’s an unworthy cause to advocate a change but I’m just not seeing the moral weight compared to factory farming, and other hard industries that have an effect on societies and the planet.
You're setting a very high bar there, and then claiming that losing access to your gmail account isn't worse than that therefore it's not life changing.
Email ends up being the form of online identity for a lot of people, myself included, so that almost every service that I sign for has my email address as ID. If that email address isn't the ID, it's the preferred way of resetting passwords. I wouldn't be super happy about Facebook being my online ID, nor my cell phone number (see SIM swapping problems).
It's life changing in the same way that losing all your personal documents in a fire sets you up accounting nightmares. Moreover, you're making very light a situation about losing all your pictures. I'm not talking about food pictures, but there's plenty of "me" that's contained in being able to look at pictures of important events of my life (which is why I don't rely only on cloud backups for that).
I do have a lot of stuff that I’d be sad about if lost on Google. And yes, I would be inconvenienced to contact all the services for an email change. But when talking about how our society got to where it is now, I just can’t see the moral weight of these kinds of monopolies in the context of just losing access.
I lose track of things easily. Gmail is my brain dump. Not only does it track all sorts of important email exchanges, but it also acts as a dump of scans of important documents. I have several gmail addresses so it's not completely single point of failure, but if my hub email was disabled, I am in a world of hurt until I sort things out.
Should I diversify? Probably, but that's more things to secure and keep track of.
If anyone honestly believes that Google can "remove their existence"...with or without due process, I think maybe they need to take a step back from the net. I read all the time the arguments over bitcoins value being real or not, but maybe the better discussion should be on wether or not social media and having a digital presence has any actual "real" value.
You can get also locked out of the email that you actually use for signing in because you can never remember the password and they stupidly ask you to change it every 6 months with bizarre constraints
You can get locked out of your password manager
You can get hijacked
The business you're signing into can go under
The odds of these things happening are to be weighted against each other
Yes you shouldn't use third-party sign-in for the bank account that holds all your money (though most consumer bank 2-factor authentication mechanisms, sadly, rely on third parties such as phone and email provider)
Yes it's also ok to use third party sign-in for the odd website that you don't care about which somehow insists on asking you to create an account
There are no absolutes in security risk management
</>
> The odds of these things happening are to be weighted against each other
Mmmmm not quite -- they have to be weighed against the consequences if they happen. For people who have had a Gmail account for over a decade (almost 2), they've probably got most of their life connected to it -- losing the account then is tantamount to a huge chunk of your life being erased. Photos. Conversations. Access to dozens or hundreds of other websites.
Basically all that'd be left is your physical ID, your bank account and you get to start over from scratch.
And while all of the above can happen, many things on that list are under your control: losing access to your Google account (usually) isn't.
You're quite correct there are no absolutes but the problem is, when the consequence of something happening is extreme, the level of effort you put in to protect yourself from it must be equally extreme: to the point that it's generally good advice simply not to use 3rd party auth at all.
I no longer do. I use email/password or OTP whenever possible. Sites that insist I use social login are sites I don't sign up with.
If they had built their own comment section with Google login, that would be weird indeed. But if you just like Disqus comments (they certainly were hot when I actively blogged in 2012) and one of their login options is Google... I don't see the issue there unless they're really pushing you to use it.
Author said "If a website offers you to sign-in using Google (or any third-party service, say Facebook, Github, etc.), don’t use that feature." But he has Disqus comment section which offers login through Facebook, Twitter and Google. I would say that's little bit hypocritical.
The similar thing is when a politician says corruption is bad and next thing you know he or she is involved in corruption scandal.
Disqus offers you sign-in using one of aforementioned services but you don't have to use that feature. You can make an account normally and sign-in using email/passsword. The author says you should prefer the later, not boycott any service offering the former.
> Every respectable service allows you to create accounts using your email address, so please use that method to create your accounts.
Although using e-mail sign-up actually provides a number of privacy-related benefits over using the Google account way, it still doesn't solve the main problem - because the e-mail usually is GMail anyway (and when it's not - you can get blocked by Microsoft, Yahoo or anything else too, and you can also loose your own domain).
"Every respectable service" should let and recommend (but not require) you set a secondary e-mail and/or another way to contact you but they usually don't.
Although this isn't practical for everyone, this is one of the reasons I use a personal domain name and then host the MX record with an e-mail service.
That way if, for some reason, that e-mail service were to close my account, I could repoint the MX record elsewhere and still have access to my accounts.
I only ever use "sign in with" for throaway stuff I don't care enough about to register an account - if it's in any way important I setup an account, and add whatever form of 2FA I can.
I wish more supported WebAuthN - it's so much lower friction than OATH TOTP or SMS. I've got everything on 3 yubikeys (including OATH TOTP) and I feel much safer than when I just used Authy
Isn’t this grounds for a class action lawsuit? Google and friends have the right to lock you from use of their services, but when such services encroach in your use of other services unrelated to google, that you may even have paid for, should google have the right to blanket block? Is it technically difficult to exempt google signin from account locks?
Can we maybe also legally claim that if a company hosts your identify, that it has no right to hold it hostage? I mean, if I’m arrested, my identity automatically erased.
Finally, is it not possible to require that all such block critical to someone’s data require some form of govt approved appeals process?
I’m asking these questions so maybe someone can enlighten me on why they were not yet attempted, or if they where, why they failed? Is it legal complexity? Cost? Lack of large scale support, as in, is it only a niche concern that only the HN crowd is complaining about?
This is a strong and succinct argument. I'm disturbed it never really occurred to me, probably because I am in part naive and take certain things for granted, like that I will never have a dispute with Google wherein they disable my account. But of course that is possible even at "no fault" on my part, and of course Google is judge/jury/executioner when it comes to their services. Yikes.
One thing I don't understand is: the author suggests a remedy is using your email address instead of third party sign in. But what if your email address is Gmail? For example, I just went to my Stack Overflow account and added my email address as a sign in method. But then of course I realized: my email address is Gmail. So what's the difference? How are we supposed to put this into practice without running our own email? Email is just another form of third party auth.
Yeah that’s true. Still pretty bad, though, right? What if the service requires you to 2F confirm an existing auth to change auth settings (to add another login if you are locked out of your email)?
I agree with the general premise of this article that gmail/outlook/facebook owns too much power being able to lock you down with no due process.
However, for random sites, entering an email/password worries me because I have no idea how this password is handled server side, is it stored in plaintext or with a weak algorithm? The vast majority here don't care that much because they use a password manager but I'm worried about the ones that don't, they can be impacted if there is a database leak or if the site owner is shady and starts looking through its database for passwords that look reusable and try them on other important website. How easy would it be to set a nice honeypot website that requires a username/password?
A properly set up google sign in makes it impossible to do that at least. Thoughts?
> [...]starts looking through its database for passwords that look reusable and try them on other important website. How easy would it be to set a nice honeypot website that requires a username/password?
> A properly set up google sign in makes it impossible to do that at least. Thoughts?
Getting a good password manager and using it correctly removes the threat of someone getting your password and abusing it on other sites.
Absolutely and I have mentioned it in my comment. However, we all know that most of the people reuse passwords, more than often weak ones. That's who I'm worried for.
I realized that recently after Gmail locked my account for using email outreach software.
I restored it but automatically had to start thinking about a backup plan where I’d have to point my MX records away from Gmail to something else immediately in order to prevent email downtime.
Gmail doesn’t do anything to manage unsubscribing from an email list, so if you were sending email blasts from there, chances are there wasn’t an unsubscribe link. Mailchimp and related marketing services automatically wrap each email with an unsubscribe button for their own reputation sake.
What annoys me is that when I do chose to login with A third party service and the app still makes me create an account and put it a password. They treat third parties as a fancy way to auto fill the email address field.
You just have to use your own domain. No need to run an email server.
Of course most people don't have their own domain and linking a domain to a cloud email service is either expensive (Google, Microsoft, Fastmail, etc) or impossible (iCloud).
A thing which I try to practice since I switched to DDG a year ago is to not say “google” but instead “search”. They don’t deserve their own verb, let’s take it back!
Good point, but if Google suspends my account I've got bigger things to worry about than the dozens of sites I've used once or twice a year.
Paying for your own domain also comes with its own troubles. If you're not using Google (or some other service) as your mail forwarder, good luck being able to email anyone. Stealing you custom domain is also a real possibility, and negates your investment in Gmail 2FA.
Running a mailserver is something that doesn't just work out of the box, but it's not true that it's impossible to run a relatively reliable email service. Takes a bit of work, for sure. But it's the best and biggest federated network we have at the moment. Your custom domain can be secured by 2FA as well, if one is using a reputable registrar, and you can legally own it. So even if it's stolen, there is recourse.
I really don't enjoy this giving up on online sovereignty, just because of the convenience and some quasi-monopolists.
And I say that as someone who has very few accounts at any online-services (if avoidable, I'm not a fundamentalist, after all I am posting here right now) and runs mailserver (and cloudstorage and more). So I'm aware it's not all rainbows and unicorns, and I appreciate this is something that takes the skills and time that not everyone is willing to invest. Nor should they.
But one's own "domain" (in the DNS and also the territorial sense) is something that enables some freedom in a world where power is increasingly being concentrated und surveillance is becoming so ubuquitous.
> it's not true that it's impossible to run a relatively reliable email service
Good thing I didn't say that then.
Running your own email service isn't hard, even with setting up DKIM and anti-spam and so on, though it is time consuming. It is much harder to make sure people will receive your mail and it not be in their junk mail. I'm still seeing lots of email to mailing lists, with impeccable message content, ending up in spam based on mail server reputation or content similarity metrics. If you're running an organisation that can be very costly. If only a fraction of your recipients mark you as spam you'll get lots of misses.
Handcrafting your own internet stack is very libertarian, but it doesn't scale to anyone without access to deep tech expertise. Even governments decide they can't run mail any more. And I would argue that this isn't something you can fix about email. The problem is that the next system isn't federated at all -- it's balkanised and monetized: WhatsApp/Messenger, iMessage, Duo, Telegram, etc etc.
You don't have to run your own server, you can use a services that will (1) have a better privacy policy than Google and (2) supports custom domains as a built-in feature. Like Protonmail for example.
> is it in a country with legislation friendly towards the country you're based in?
It's in the same country.
> does your registrar send Auth-Info code over email in plain text?
Of course not, that would be a big red-flag.
> did you enter real contact and residence data when registering the domain including public WHOIS database?
I have no idea what a public WHOIS database is, never registered anything there. For the registrar I've entered my real contact and residence data, should I've not?
I mean the contact details specified at the registrar and returned over the WHOIS protocol. Depending on the nature of a conflict the entity returned by the WHOIS requests might be considered the owner of the domain.
Unfortunate phrasing on my side:) Actually there exist scammers reaching out to well known mailbox names and requesting a fee for an entry in "WHOIS database".
Your real world mailing address is published in WHOIS ("who is") by default, often you have to pay the registrar extra to keep it private, which is admittedly a total scam. You could use a fake one, but then it eliminates a way to verify you own the domain.
So many different ways domains are stolen. Or you lose your domain: UDRP, social engineering at the registrar, hack into the account at registrar, the email you use on whois record isn’t valid anymore, you have auto renew turned off and it doesn’t renew.
Phishing or bribing an employee at a domain registrar. Phishing you to get your password and then bribing or social-engineering someone at the phone company to forward your SMS-based 2FA codes to them. Waiting for you to forget to renew your domain and then registering it.
It often surprises people what effort someone will go to to steal their identity.
Consider that you have a github account. You might be in the supply chain for a bit of code someone needs to read or backdoor to attack a company that you've never heard of. Github is a harder target though.
The scary ones are the real estate funds redirectors. They just need to be in your inbox for a little bit and boom, hundreds of thousands of $ gone because people don't take the time to re-verify bank account details by in person.
If anything happens to you which prevents you from renewing your domain, e.g. you are detained or in a coma, then it's probably gone as well unless you have a lot of credit on your registrar account.
Even when some service allow registering using good 'ol email, some still refuses to accept any non gmail/outlook address. Met a service that wouldn't allow me to register using my own domain email address a week ago. Baffled me staring at the google, fb and twitter sso button with the form for email address giving error of "please use an email address from a reputable provider".
> "if Google (or third-party of your choice) locks your account for some reason, you will be locked out of all the services where you signed into using Google."
But if the account I'd use to sign in is my Gmail account, and they had locked that account, wouldn't I be locked out anyway?
Please explain it to me if I'm wrong (cause that happens often).
You'd be locked out of recovery emails, but not the service. You could potentially changed the email/username as long as you still had the login details.
This is not an easy issue. It boils down to responsive customer service at the end. Even if you host your email, your hosting provider can suspend your account if, let's say, your credit card rebilling fails. There should be a better and more resilient way to identify people online in 2020!
Hosting is still better than registering with Google/FB for several reasons:
1. Registering with email is not usually an SSO. Authentication is using password and email is used only for recovery. Your won't get locked out of other services even if email server fails for some reason.
2. Hosting providers usually engage customers much better than ad and social media companies. Chances of getting your service back up with customer support assistance is much better.
3. In case the hosting provider locks you out without recourse, you can always move to another provider and point your DNS records there. For this, it's better to have a different company as registrar and hosting provider.
4. DNS so far is the least affected/abused online resource. The chances of you getting locked out of your domain name is low, unless you fail to renew. They give sufficient warning as well. Let's take advantage of that until companies decide to wreck that.
> There should be a better and more resilient way to identify people online in 2020!
I don't think that's an accident. The choices and freedoms available for authentication seems to be diminishing with time. It was possible to specify the authentication provider a decade ago.
I was forced to use sign in with google for dnd beyond as they don't support byo-email address (!), only google, twitch, apple, and yahoo.
We need a name and shame site for websites that can't be bothered to write a back end database for the 3 columns needed to store emails, salts, and hashes.
That reinforces the point of the article, but is semi-orthogonal to my point.
Convenience strikes again. They use the google third party sign in since a big company like dnd can't be bothered to implement 3 columns plus your nice to haves.
And they are nice to haves, arguably obvious and easily upgraded to required table stakes, but not _required_ to implement email-based sign in. The first three of your listed iftems are also effectively mitigated with a password manager.
When you use Google or FB or others to sign in, you just get some data, that you can trust.
Internally, on my website, i may have an account, that i then link to this Google or FB account.
1) If Google shuts down an account, authorization might still work for the purpose of logging in somewhere else. Your email might not work anymore, like any other services within Google. But authorization does. That it does not, is an implementation detail.
2) Since internally i have created an account, that is only linked to your Google account, i can always allow you to also login via any other method. Maybe with your facebook account.
3) I think, things will become better. You use your devices to authorize yourself. And i then trust your device. Then there is no 3rd party involved anymore.
Many people use yubikeys, for example. As a user, i declare ownership over these keys. I buy these. They become mine. And i use them then for authorization.
So it is a mix, i would argue. For machines it is just important to identify you. And in the past, so i have read the users, they all want to get away from password authorization. Just make the darn thing recognize me. (and sometimes not)
We went through a process of changing email domains recently and we use Google Sign In for many of our services. Switching emails over varied greatly between services. Sometimes it all just worked and my new email would sign in to my account and my email address on the service was updated automatically. Some allowed me to sign in fine, but I had to contact them directly to update the email address. A number of times I ended up having to go through recovery processes.
I guess at least if you’re using your own domain, you’d be able to repoint mx records to do the recovery.
I tend not to use it for my personal accounts, but honestly, Google Sign In for our work systems has generally been a good experience. Works well for our small team, anyway.
Technically email becomes the skeleton key regardless. And that is dependent upon at least one third party: domain registrars. And possibly email providers too.
Though the post does have a good point on that non-email auth providers add more risk to the equation.
You can use Handshake [1] to third party auth without risk of losing your credentials. Simply authenticate against the public key associated with your name!
Isn't that obvious? Convenience always hat some kind of price tag, particularly a security related one.
I would have canceled my facebook account long ago if I had not chosen their login for a (unknown) number of service.
What would be a better alternative?
Use same credentials everywhere? No, because it is just a matter of time it would leak out of one service.
Use unique credentials for each service in local password manager? Nay, because most of us at least want to sync between desktop an mobile.
Use something like Chrome's password manager? That bears similar dangers like those the article points out.
> What would be a better alternative? Use same credentials everywhere? No, because it is just a matter of time it would leak out of one service. Use unique credentials for each service in local password manager? Nay, because most of us at least want to sync between desktop an mobile. Use something like Chrome's password manager? That bears similar dangers like those the article points out.
I use BitWarden and it works pretty well on all my iOS devices and across major browsers.
1. This isn't a clear cut, though some services don't allow using both Oauth 2.0 and email / username login, most do. So if the service provider allows both, create a simple user + link your account.
2. Developers should always allow restoring passwords for SSO only users, it is ridiculous for it to even be an issue.
3. As a user, refrain fro using free email accounts to identify on a platform, as others already said, buy a domain not an expensive one, and stick to it, remember to renew, and setup your email address with a reliable service, there are good providers for $1 a month.
Or do it but don't use your google account for your business. Especially, if the business could be considered by anyone as spam, anything to do naked bodies, terrorism, weapons and such
On the other hand if you want to use 2 factor authentication adding and rotating security keys across dozens of sites isn't the best plan either. So we are kinda stuck in a rough spot. I really wish that OpenID stuck around. It would have been fantastic to have the choice of provider including running your own.
I think the saving grace of using Google login is that usually you can still "reset your password" via email and get in that way even if Google locks you out.
Not really, in a lot of sites even if you sign up with Google you then can do a simple 'reset password' with the email associated with your Google account and set a password.
The real solution to the problem would be a standadized passwordless local authentication for sites, I mean the site uses an API of the browser to auth the user, that way you don't need third parties to authenticate and you have everything in your PC. The W3C is working on it.
I might be missing the point here, but I find it quite annoying that I was already logged into my Google account and trying to sign in in a website[1] using the 'Sign in with Google' did not work. I don't take my cellphone to work and that little Google auth system kept asking for in-phone confirmation since "I was trying to log in from an unknown device" but singing in Gmail in that exact same device worked just fine.
I see many people in this thread dread existing auth scene and ask for a better solution.
Client certificates, but usable and no hardware - https://github.com/sakurity/securelogin
this is the only sovereign answer to auth battles.
This might sound like sarcasm to us but I've honestly heard people claim this with a serious face, as well as: "I'm not doing anything bad, so they'll never block me". Guess it's not a problem until it actually happens to them.
There were pieces of news about google accounts being blocked for being "associated" with an account that did bad things.
I think most were contractors using both their own accounts and the customer's accounts to put apps in the play store... which will associate you with random people that pay you to make an app, maybe forever?
Having an identity provider service intermingled with services by the same company and not differentiating between providing the identity service and any other service is the core of this problem.
Really sad that Mozilla Persona did not make it. To me this was promising solution for 'identity provider service'.
This section of service should be heavily regulated since it hs a lot of power.
It’s worth noting that you’ll get the same outcome if you register everywhere with a free Gmail/iCloud/whatever account. The only sure way you won’t lose access is to set up your own domain and use a decent email provider that allows to use it (Yes, ironically even Google Workspace/GSuite).
Oh, it sounds like this complaint stemmed from a person creating a one-time account use just for some rando site then got angry when google noticed it wasn't be used at all. The fallout of the arguments that follow may have merit but you should follow why the fuse was lit for context.
I also think it can be the other way round too. Like I use this amazing app called Smart youtube player that works best if you sign in with your YouTube id. Now this app breaks some rules like skipping ads which may voilate their Tos which can put your account in jeopardy also.
Many sites seem to use the email associated with the third party account as the identifier: so, if I lose access to Google, I can use the email address to reset the password or use Facebook or Apple sign-in, as long as those accounts serve up the same e-mail address.
My sign in as google uses the @gmail address, which I don't have access to other than signing into google, so I wouldn't be able to get the reset email link.
Interestingly, since I use my own domains, my facebook signin is different than my gmail address. But interesting, I've never tried using a second oauth as a match to the first.
I know this is how discourse handles federated identity: it uses the Oauth2 server to match the account's email address against the Facebook/Google/Twitter account's stored email address. Spotify works this way too.
What if the site you’re using is properly configured and uses this third party to confirm your email address? Can’t you then sign in using a different trusted intermediary or email if something goes awry with the one you used the first time?
Never really thought about it until I started seeing Google, Twitter, Facebook and other large companies, start banning people for political reasons.
Imagine if you signed into some site using your Facebook account, and then some intern at Facebook moderating posts didn't like some political statement you ban, and suspended your account?
Like the article says, you're not just locked out of Facebook, but any other account that uses Facebook to authenticate.
That give these sites an insane amount of power. You can argue these massive companies have a right to ban whoever they want on their own platforms, for whatever reason they want. But they shouldn't have a right to ban people on other platforms.
Even if a ban/suspension is made in error and can be reversed, that could still cause someone a lot of harm, or be used as a political weapon. That's legitimately scary.
Apart from the kick-out risk, using SSO from Google/Facebook isn't good for your privacy neither. They usually have an iframe in their SDK that can track you even when you don't click on the login button.
Who has changed the the title of the HN submission? It was "Never use Google to sign in" and it's still that when following the link. According to submission rules it should not redacted.
OP here. I certainly did not change the title, and would like to know who changed the title and why?
In the article I clearly call out that using any third-party is a risk, so I don't see a reason why the moderator felt the need to say that in the submission title as well.
I had to goto the second page to find someone asking this same question I had, and now when I come back to reply to it I find it's been downvoted even further into grey.
What is actually going on @dang ? He asked a legit question and even the OP isn't sure what's up.
This reminded me that I learned DuckDNS[1] recently removed the option for local auth through their site.
It’s only 3rd party auth now. I was mildly triggered.
[1] www.duckdns.org
Google map changed the name of the road in my hometown. Just recently I guess. I mean it was correct .
And I don’t know how to correct it. I don’t want to talk to a machine either.
Doubly so with GitHub. I have had my GitHub account removed multiple times with no reason. Then if you email them, it can take weeks before they bring it back.
> Every respectable service allows you to create accounts using your email address, so please use that method to create your accounts.
This is a major take-away, too. I have used this as a litmus test for a while. If a service requires you to log in via one of these third parties, and doesn't offer a "create an E-mail based account" option, stay away! They're not a serious business.
Or, even better, favor services/stores that don't require you to create an account.
I mean, the article is pretty lean. It basically says, "Don't use OAuth because if you're locked out of your account on the OAuth provider, you won't be able to sign in." I don't disagree with that.
I don't think it's fair to expect every website I sign up for to be able to safely store passwords. OAuth is a convenient and much safer way to allow users to authenticate to your website or service. I don't think it's fair to dismiss every service that doesn't provide this option.
> Every respectable service allows you to create accounts using your email address, so please use that method to create your accounts.
Sadly this isn't true. I can't register to download my electric bill without a google, facebook or twitter account. Electric companies are local monopolies so I can't switch to another supplier either.
My email account still belongs to google, so I can't claim that this makes any difference in my life. It's a bit disturbing nonetheless.
Buy your own domain and hosting for few bucks on Hetzner, OVH etc. they both support 2FA. Don't use Google for login. It's pretty simple and foolproof.
OVH supports Yubikeys, has DNSSEC and will give you 5GB mailbox for free in your domain just for buying it from them. You can also pay like 20$ per year for 100GB of space for WWW, backups (preferably encrypted) and other stuff.
This is what happens when you combine greed with lack of regulation. Google should be split into separate independent companies. When company is above the law and too big to fail it means we failed to address it. Write to your local representative and ask them to raise this problem.
Just want to add, this is not capitalism if you have one rule for big guys and one rule for small shops. Small companies cannot afford creative accounting which then finances an army of lawyers and grease for politicians. If a small company pays e.g. 30% of tax it is unacceptable that big boys can wiggle out if it through offshore contraptions. If a company suddenly is in position to game the system and obtain unfair competitive advantage it is when it should be split. Every business should have equal chances and we let companies like Google, Facebook or Amazon abuse their position. It's time to stop it. They need to be split and pay the right tax.
Most services offer password reset and would likely help you recover your account. This is not something you have to worry about too much especially if the service you are using isn't that important to you.
You can disable these annoying prompts by going to https://myaccount.google.com/permissions and disabling "Google Account sign-in prompts". Ideally it should have been user opt in but Google followed dark pattern here.
This implies that Google already knows that it's you when it shows the sign-in prompt on some 3rd party website and they are already tracking you there even though you are not signed in. Lovely. Not that you'd expected anything else from Google.
Yes, the pop-up is for signing into the site with your already-signed-in Google account. If you're not logged in then you use the site's default login mechanism.
Of course they do. It uses an IFrame request to the Google.com domain (so that the "host" website doesn't see any details before you login). Google can however see who you are because your auth cookies and what-not will be sent along with that Iframe request on whatever host website decides to use this pattern. See: Medium
A further issue with this is that Google knows you're on that website because the referrer and request headers will have that on the IFrame request.
Just to be totally clear, this is how tracking cookies work everywhere. The site you visit includes an iframe with an ID "X" that identifies itself, the iframe loads `trackingsite.com?id=X`, the request includes your cookies for that domain (or at least the ones that are allowed for an iframe request), now `trackingsite.com` logs a visit to Site X from the user holding Cookie Y.
There's a fundamental conflict between privacy and convenience, because I have to either allow no third-party cookies, which means no one can embed any authenticated content from a third-party context (think Disqus comments on a blog), or I have to allow third-party tracking. The middle ground -- allowing some third-party cookies but not others -- is a UX nightmare. Just trying to explain the situation to an average user, at all, is nearly impossible, much less interrupting every visit to every site with "Can I use cookies from {site 2} here? How about {site 3,4,5...112}?".
I've been fiddling with ublock on how to disable this. would've never guessed about the settings in google account. this should've been disabled by default or an option on the pop-up to permanently disable it.
I mean, the simple answer is because they're trying to spread the use of Google login, make it ubiquitous, so they can own all authentication mechanisms too as if owning everything else isn't enough.
Yes and it pissed me off because on mobile it pops up like 0.5-2 seconds late so if you're unlucky you go to click on something and it popups up under your finger and you've suddenly signed up and shared your info with a company you had no intention of ever signing up with.
I complained to Google. I have a GSuites domain and I don't want my users to be able to sign up via Google. No resolution. I suggest you all complain too
I semi worked around it by adding accounts.google.com to my ublock origin block list but about once a month I have to turn it off to allow me to log into Google.
Note: I'm not against google. I am against this auto-popup. The logical conclusion is you'll go to a page and get 6 of those popups or more. One to sign up with Google, one to sign up with Apple. One to sign up with Facebook. One to sign up with Linkedin, etc...
The design of that system by google is not a good design based on the idea that if everyone did it it would be bad. Google should top it. If I click "sign up" on the sight then let the site offer me "login with X" and don't contect X until I click "login with X"
> I semi worked around it by adding accounts.google.com to my ublock origin block list but about once a month I have to turn it off to allow me to log into Google.
This is where uBO's dynamic filtering[1] is useful, as it allows you to globally block `accounts.google.com`, and then unblock it only for specific sites by overriding the global block rule with a local noop rule.
Also I reflexively clicked ok out of laziness and annoyance without knowing what it was. Not quite a dark pattern but you certainly aren’t completely aware what it’s asking within the first second of seeing it.
Yeah. Reddit is especially really intrusive and annoying. I feel like they just don't want people to use their site anymore. Whenever I open new Reddit, my memory and CPU usage goes up so badly.
Reddit website unusable on mobile, it cuts all images in half for me (Nokia 3.1 and Samsung A51), and it's just laggy. I use RedReader from F-Droid instead.
Yes, it also loads forever, hides half the comments, constant pop-ups telling you to use the app instead, cannot read some (non-quarantined) subs without logging in, no NSFW without logging in, back button is broken, frequent error in loading pages...
On the desktop it still usable with old.reddit.com.
But honestly it's probably for the best, less time wasted.
They can't even manage to get their video player to work. Even your local news web sites, which ten years after YouTube still couldn't manage to consistently get a video to play in the browser, have figured it out by now. But Reddit? Nope. Requires me to hit the play button 3-4 times in order to start the video, stops randomly in the middle of the video, and "re-play" never works. I mean, we're almost in 2021! Developers, if you can't figure it out, just give up and embed YouTube.
Same here, it's painfully slow and I click their search results only when I don't know where else to look. Given reddit's sheer size and popularity in quite a few countries, I wonder how many MWh and CO2e the new version uses and causes.
There's a rich ecosystem of incredible third party reddit apps on android, as an alternative. Reddit is really unpleasant to use on the mobile web, even without the dark patterns.
This together with RES and Shine makes it really pleasant actually. In fact, I think you don't need to visit old.reddit.com for RES/Shine to work. CPU/MEM usage is off the charts though (has gotten much better).
Yes, and it bothers me a lot, even if it's in an iframe, that it has my real name from my Gmail account inside the unrelated third party pages. I do not trust Javascript iframe policies from preventing the host sites of exfiltrating my name from the Google signin frame. Javascript and browser exploits have a long history.
This uBlock Origin rule blocks the popups at least:
X-Frame-Options and cookie access rules would help protect against that a layer beneath Javascript. I get your point that ultimately any security breach can escalate to full-on compromise of all personal data. I still find it playing with fire to have completely unrelated sites having my name inside an iframe.
I use Firefox containers at work but I was postponing doing the same at home because it takes a bit of work to create the containers, assign sites, troubleshoot some minimal issues, etc; and THIS made me finally do it.
I knew that I was being tracked, but that was a bit too "in my face" to ignore it.
Same here. Seeing that popup on medium.com with my google login identity was what finally prompted me to start using containers. Now google's domains are safely kept in their little box where they belong.
It's funny because there's nothing new about those login popups - I already knew conceptually that kind of thing was possible - but seeing your little avatar picture show up where it doesn't belong provokes a much more direct reaction than abstract knowledge.
Really the dumbest, most confusing design I've ever seen to make a website seem like it knows who you are when you visit as a guest.
When I first saw it on Pinterest, it took me a moment to figure out what I was looking at as a web developer of 20 years. My girlfriend still didn't get it after I was explaining it to her. How does anyone else have a shot at arriving at "oh, so the site doesn't actually have access to this information that's being displayed on the site."
When I was younger, I thought good UX design was obvious, something all of us had intuition for as users ourselves. All you do is put yourself in the user's shoes and ask basic questions and use basic empathy. Of course, now being in software for so long, I realize it's one of the rarest and most unrecognized skills.
If you empathize with normal users, you realize they don't care the least about any of this. They want to use a convenient service to do things. To post pictures of themselves, to see what their friends and frenemies are up to, what's the new cool thing etc etc. Login should just work, nobody cares what is displayed where, and which site knows what. Normal people (outside the HN) bubble don't care about these things, like privacy and what data they share. It doesn't get them closer to the things they want to do online, that is post things and consume content.
The problem is that it doesn’t really work, because if next time they somehow log in with their email/Twitter/Facebook/Apple ID instead, it will make a new, totally unrelated account, and all their stuff will be mysteriously gone for no apparent reason.
This is a real problem. One would think that a respectable site would give us the option to recover via email, but that is not the case. I had this exact issue with Kobo yesterday, I'm forced to use Facebook login even though they have my email as a recovery option.
I never see these. I wonder if it’s because I have ublock properly configured or because I block third party cookies or because I never sign in to Google on my main browsing profile.
_A plea to the moderators:_ Please change the title of the submission back to match the title of the blog post, "Never Use Google to Sign-In".
To be fair to Google I have clearly called out all third-parties in the blog post, some by name.
I used Google's name in the title because that name elicits reaction from almost 100% of the audience, since almost everyone has used Google services at some point. I myself am a happy user of Google services, except for one incident [1] a few years ago when I was locked out of my account for 20 days. I was able to recover it because I finally remembered my linked yahoo email's password; I had forgotten that, and never bothered to save it in password manager, because I hadn't used it for many years.
For the record, I was also blocked out of GitLab for 7 days [2] for no apparent reason. This was resolved after a few days of follow-up with their support folks. Upon account recovery, the reason given was that my account was accidentally caught by their spam filters.
Back on topic: Changing the title from "Google" to "Third Party Auth" significantly softens the impact and urgency I want the reader to feel upon reading the title, and the short article that follows.
OP, your first sentence is If a website offers you to sign-in using Google (or any third-party service, say Facebook, Github, etc.), don’t use that feature.
Titling this as "Third Party Auth" is a reasonable and correct summary of your article. Blaming Google specifically is hype-mongering unless you have a specific gripe against Google - and reading through your post, I don't see a Google-specific criticism.
I think the title would be better if it included Facebook because those are the two most prominent and recognizable to the average person.
The title for the HN audience is better, but probably equally misleading since 3rd party auth could include Auth0 or Okta, and personally, if you buy into Apple’s privacy story they should be trusted.
Way to speak for another person's intentions AND feelings! That's where we are nowadays, I guess.
It's their article, I think it's fair they ask for the name of the post to be preserved. It has nothing to do with their intent (clickbait or not) that the audience here voted up their submission.
> I used Google's name in the title because that name elicits reaction from almost 100% of the audience,
And
>Changing the title from "Google" to "Third Party Auth" significantly softens the impact and urgency I want the reader to feel upon reading the title,
It sounds rather like parent was correct in calling it click bait. For me, any article that has aspirations to manipulating ones emotions in order to illicit a particular outcome is definitely selling some propagandist notion... Aka click bait.
That the article's content, HN submission and the parent comment is the same person @gurjeet, I would like to thank @dang for the modification.
But that's not what clickbait is. Clickbait is a title that quickly imposes the feeling of missing and important information. Especially to get people to click through so the link target can serve ads. That's clearly not OPs goal as he makes the title a call to action, omitting no critical information.
Propaganda has nothing to do with the definition of clickbait, so saying "[propaganda ...] Aka click bait." Is very misleading. And betrays your argument that everything should be exclusively logic, specifically omitting any appeal to emotion. That's exactly what you're trying to do by portraying op as using propaganda. And rhetorically speaking would be a disservice to both reader and article.
No, clickbait would be: This guy used Google to login, you'll never guess what happens next!!
He wants to us the name Google to personalize the message assuming that's what a lot of people use. Do you know how I figured that out? That's what OP said was his goal. It's rude to assert otherwise without evidence.
“I opted out of a Yubi key, forgot my Yahoo password, didn’t have the authenticator set up, couldn’t text message myself, and wasted 3 days fixing it” could maybe fit as a title too.
I want the title to reflect what prompted this article in the first place. Just as others are calling out, I noticed those Google login boxes on unrelated websites. I want the reader to also make that connection and then read the article to understand what’s at stake.
All titles are clickbait, researchers, bloggers, youtuber, conference speakers, and journalists who succeed are also ones who know how to choose good titles
Clickbait is a spectrum not a binary. I think keeping google in the title doesn't detract from conveying what the article is about while at the same time making it more attractive.
Definition of clickbait [1] (emphasis mine): something (such as a headline) designed to make readers want to click on a hyperlink especially when the link leads to content of dubious value or interest.
The title of the article matches the content, so, no, it wasn't a clickbait. Also, if the title was really a clickbait, someone would have surely called it out before my gripe about the title change. In fact, 2 others complained about the title change before I posted my top-level comment; those others' complaints and my responses are now buried under the "More" link at the end of this page.
I understand you, @baby, have good intentions, but I take offense to @bzb6's remarks. I guess that's what I get for responding to a recently created account (41 days ago) with no posts and all of whose comments are one-liners; mostly knee-jerk reactions, no insights, and not considering the nuances of the real-world implications.
Edit: now that I've had a chance to read the article, I don't agree with that change, and have restored the title back to how a moderator had correctly edited it before.
The reason is that the article doesn't say anything specific to Google. The sole point it does make is common to all the services, and indeed the article seems "conscious" of this, since 3 times it says "google" it immediately qualifies that with a phrase like "or any service".
Nor does the parent comment make the case that this is specific to Google; in fact it makes the opposite case.
Oh wow, now the title has been changed again! Here are the different versions the title went through:
Never Use Google to Sign-In
Never Use Third Party Auth to Sign In
Don't use third party auth to sign in
I guess a another moderator had a better idea at what title will attract more attention.
Given the number of comments, the duration at the top of HN, it's clear that this post (including the title) hit a nerve with many people. But the moderators in their wisdom chose to reduce its reach by watering down the title; twice! Compare the 3 versions of the title so far, which one do you think resonates with most people? If they had chosen to add other prominent offenders' names (Facebook, Github, etc.) I wouldn't have minded a bit; that would have been a better use of the space the title takes up.
But they chose to first generalize it from "Google" to "Third Party Auth" (casual reader: eh, what's a third party auth; who are these people? what's auth? is it authentication, or is it authorization; I guess that's too generic post so I don't care, <keep scrolling>), and then replaced "Never" with "Don't" and lower-cased the rest of it. I don't expect the general population of HN to take my, or anyone else's, advice at face value, but think about the problem in their own context, how much it affects them, how much they care about the problem, and if they agree with the proposed solution, and to what extent.
I'm sure that by watering down the title's efficacy, the moderators have lost opportunity to educate many of the HN readers.
People write content to share their ideas, and they want people to pay attention, because the writer thinks it's important. If the moderators' changes help in that goal, no writer would mind. But in this case I am sure these changes have hurt the chances of spreading the core concern.
I find it offensive that my judgement in choosing the title is being questioned, even though most of others agree that the original title was appropriate, in general. Thankfully, I went with my gut to write the article on my own Blog (and link it here) even though it was 3 short paragraphs, rather than post the original content here. The original title and content will stand there, without fear of someone else's ability to alter it.
Someone else's platform, their rules, their whims; no recourse, as with other platforms.
To self: Shut-up and get on with you life, you have already wasted inordinate amount of time on this.
This applies to all “as a service” products. Unless you can’t provision a server and stand up open source services on your own there is no reason to use 3rd party services.
I am now at a point where I would rather have the passport office / home office issue certificates for each citizen:
'John Doe number 145, signed by the British Government'
You could use that for 2-way SSL with Banks, trusted email providers, etc. At least we would have 1 reliable identity that can obly be messed with by going through the courts.
I wouldn't was to use that identify for every random website, but at least we'd have something reliable.
Hijacking this thread for a simple price comparison: Since people recommend to buy a domain and connect this to some service. The problem is that this service will run for decades as a private plan, so let's do together a price and feature comparison since the lock-in is huge.
GSuite:
- pros: vast ecosystem of GMail extensions, eg mail merge
- con: just 30gb total storage
MS:
- pros: 50GB email, 1TB cloud, Office apps included (not that I like them but sometimes you still need them), dirt cheap family plan for $30+ you get 6tb
Yandex:
- free, but yeah all my serious stuff like bank accounts there, IDK
iCloud:
- super expensive
Dropbox:
- no email and ios camera upload broken/lags years behind for ages and super expensive
What do you think? Are there any better options out? Which would you take?
But how did we end up in this horrible state of authentication? Why don't we have something as easy to use as the DNS, but for authentication?
Imagine what authentication would look like, if we all started running is the same direction, instead of implementing our own authentication again and again. If we had something open source, that would allow you to sign in to all the sites you use, while completely protecting your privacy, so none of them know who you are.
This dream can come true. Technically at least. I've taken the the first baby steps with https://promiseauthentication.org which proves that this is possible.
But, for this to become a reality, we really need to start running in the same direction. A collective movement towards a sane, privacy-first Single Sign-On provider that's easy to use for everybody.