This has been a very interesting discussion. We should be mindful that it is occurring all over society. It is arguable, and I hope true, that the worm has turned regarding privacy. People are starting to realise that you always (in the general case) are paying for a service. If not with money then with something else. In some cases both (hello square space!)
tl;dr The choice for or against using the big bad corporation services needs to be clear and usable. Privacy is a minority interest today but IMO the writing is on the wall and for web services it will become the wolf in the kitchen.
On 14/02/19 3:42 PM, Stephen J. Turnbull wrote:
Jonas Meurer writes:
But still, adding so-called "social" authenticators to the mailman3 django application will expose users to the risk of clicking on those ID provider buttons.
I can see this point for Debian users. I suspect Ubuntu users are somewhat less paranoid. :-)
Since that risk holds even for sites that enable explicitly (assuming we adopt the same policy) I will take a look at making that risk hard to realize (more distance from anything else clickable, smaller buttons with visible and accurate boundaries.
Better that it is off, or it is on for a selected group of providers. The issue is not the prominence of social login options but the presence. I disagree that accidental clicking on social login widgets is a major issue, but I have no data, so it is a opinion.
Personally, I consider it a major privacy issue if one central instance (e.g. Facebook) is able to track on which platforms and services you authenticate.
Sure, but that ship has pretty well sailed AFAICT. Most users use unconfigured versions of IE (or Edge) and Safari, which means they're subject to all manner of webbugs. My employer just asked me to stop using Firefox because it's too pedantic for their website development vendors. :-( GDPR enforcement seems to primarily be an arm of the EU trade offensive against large American services (that's the Economist's recent opinion, not mine), while Europe-based globals are undoubtedly doing the same crap.
The ship has not sailed. We can get back what we have lost. The new generation of web developers are, in my experience, too enamoured with the cool stuff they can do, and ignore old grey beards (like myself) talk of "attack surfaces" and "chains of trust" and blithely install google fonts, load javascript from CDNs, etcetera that gives their user's data away without a thought or regret. Ten milliseconds and 20kb is considered too high a price to pay for enabling some body else's privacy. But they are starting to face push back from consumer groups who understand the value of what is being handed over.
And to be honstes, I'm a bit irritated that those tracking features from big corporates like Facebook and Google, whose main business model is to aggregate as as much private data points as possible about as much users as possible are enabled by default in Mailman3 upstream.
Your irritation is not our problem, though, since you can use Debian's version, and as I mentioned earlier, as far as I know most of our sites are happy to have social auth. I will be paying attention to the list to see what others think. That irritation is exactly the problem. It is a problem we need much more of.
Besides the privacy concerns raised above, on problem with central authentication services is that they also create new single points of entry/failure. If your Facebook account gets hacked, you now loose control over all other services/platforms, that you used the Facebook authenticator service for.
Same thing if you use a weak password. Effective and secure authentication is not something we're good at, and we can't really afford the effort to be good at it. These things are tradeoffs, and the default should be something that most of our users (ie, site and list admins, NOT subscribers) want. Hopefully their preferences in this respect reflect those of *their* users (== subscribers).
Attack surfaces. "Whataboutism" is not a valid argument against the argument that you should decrease your attack surface.
But social authentication is enabled are the trackers are not loaded too. As far as I can see. If so that is a good thing. The big bad corporates only get data when some one actually uses their services.
I agree with Torge that those social auth providers should be disabled per default. IMHO, A sane default would be to list them in the settings.py but have them commented out.
"Those" social auth providers? Are there social auth providers who provide what you consider acceptable privacy guarantees (a la Duck-Duck-Go in search engines)? If so, we could make those higher in the list/easier to use.
I disagree that they should be disabled by default. I agree they should be disabled, but it should be by choice. What is required is a configuration option in the interface not in the text configuration files. The former is for list administrators the latter is for site administrators. Currently list administrators do not have that choice. (I am new here, do I have that correct?)
Worik
-- If not me then who? If not now then when? If not here then where? So, here I stand, I can do no other root@worik.org 021-1680650, (03) 4821804 Aotearoa (New Zealand)