Last week I mentioned that some people think it would be a good idea to just use Facebook credentials for their corporate identity management. After all, Facebook is free. “And isn’t The Cloud supposed to be cheap to the point of being free?”, they ask. Many of their users already have Facebook identities.
When you go to a web site that wants you to authenticate and it allows you to do so using your established Facebook, Google+, Yahoo or other online identity instead, that is the OAuth protocol in action.
But how much should we rely on OAuth?
Last summer Eran Hammer, the leader of the OAuth 2.0 project resigned from the project after having led OAuth development for five years, saying “I reached the conclusion that OAuth 2.0 is a bad protocol. […] It is the biggest professional disappointment of my career.” He goes on to say “When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.”
All that from a protocol whose two main goals are security and interoperability!
See his resignation announcement for the details, but while an OAuth 2.0 implementation could be secure, any given one likely will not be.
For an example of the potential risks, see Egor Homakov’s hack of Facebook authentication. If you were to authenticate your users with Facebook credentials, then a cross-site scripting problem on your site could lead to any user’s corporate identity being stolen.
He gave Facebook the full details of the problems he found and they should have been fixed quickly, but this will be a continuing problem and an unending chase after vulnerabilities given the insecurity of the OAuth2 framework. For example, also see Egor’s list of several attack methods against OAuth 2.0, redirect_uri problems, and several browser privacy holes.
Now if this were just a Facebook identity that was stolen, I suppose this could be embarrassing or at least annoying as bogus “likes” and comments were posted. But just imagine if your organization simply relied on Facebook based credentials to control access to sensitive data!
We discuss identity management in Learning Tree’s Cloud Security Essentials course. As with much of cloud security, we find that it can be a challenge or at least a chore to get it right.
Easy to use.
Free (or almost free).
Sorry, but it seems that you can’t have all three in the commercial cloud.