On Fri, Nov 30, 2018 at 04:12:27PM -0500, valdis.kletnieks@vt.edu wrote:
I'm going to go out on a limb and say that with all the problems inherent in using a social media account as an authenticator, for 95% of sites it's still more secure than if they attempted to create their own authentication system.
[snip good analysis] However, there can be little doubt at this point that all major social media sites have long since been thorougly compromised. Of course they have: the attacker budget for doing so is enormous, easily enough to bring to bear advanced cryptanalysis techniques, judicious deployment of exploits including home-grown 0-days, and the assistance of willingly/unwillingly co-opted insiders. Meanwhile, the defenders have shown themselves to be stunningly inept and have accrued a long-term track record of massive data breaches almost too numerous to catalog. (And those are just the ones we know about to date. Surely there are more waiting in the wings.) This isn't really surprising: after all, it's not *their* data, so why should they invest time and money in securing it? Sadly, your point about the difficulty of creating homegrown authentication systems is also accurate. Therefore: we're just screwed. ---rsk ---rsk