I've recently implemented authentication for my project and I would just like to say to all the relatively amateur programmers out there: for web based authentication just stick with HTTPOnly SECURE cookies with DB backed sessions that you can revoke.
The reason I'm saying this is that there's way too many posts talking about JWT (which isn't suitable for newbies), Oauth (which is more useful if you have separate authentication and resource servers) and other token based mechanisms which are what cookies are except more suitable for non web based clients.
With a password manager and careful shepherding of your PII, maybe there's not much risk; if someone takes over the site your account is compromised either way, and nothing else is lost. But most people don't actually use password managers, and lots of sites that accept Google sign-in require lots more data to actually create an account on the site. (Plus, losing password stores is not necessarily the same as losing all control.) Newbies storing creds is a perennial source of leaked credentials that get used to attack more important sites.
Most solo bootstrapped projects are not popular enough initially for someone to spend money / effort to hack them. When they do become somewhat popular though (very small minority of course), I suspect most founders bring experts on board, as they absolutely should.
> just using HTTPOnly and DB backend is not a solution at all
My comment was not meant to be exhaustive and does not list all vulnerabilities. Just in context of some of the suggestions in the article. Using a mature framework like Django can protect you from other vulnerabilities CSRF, XSS, SQL Injection to some extent.
You have way too much faith my friend. How does bringing an authentication and security expert into your organization make you more money? It doesn't. What people like this tell you change is all cost and only hypothetical benifit. I suspect this doesnt happen anywhere near as much as it should.
I work in mostly the B2B space where we integrate with their Identity Providers (active directory, Okta, etc) and strongly discourage them from using our internal authentication system so they have to take responsibility for their own security.
If I were working in the consumer space, I would personally use AWS’s Cognito since that’s what I’m familiar with and it integrates with everything - Google, Facebook, Twitter, Apple, Amazon etc.
I’m sure there are other services that serve similar functions.
Thanks for listing some, will look into them!
Strong contender for Most Horrifying Thing I've Read This Morning.
You now have an auth system that avoids horrible passwords (no passwords).
The downsides are: 1) Cost to send emails for login, 2) People complaining about it being weird.
Worth it in many cases.
Fixed that for you...
> What ever they are offering cost them money to develop, but they did not do that as a charity.
True! Yet... I keep thinking about `http` (the protocol), or Apache, IRC, and countless other software techs that were just 'given' to (and are maintained by) the world, courtesy of their makers, and/or bodies like IETF work groups, etc.
Case in point: "social" is basic at an elementary level (it's just CRUD, over-the-network), but at scale becomes insanely costly. The limitation/exclusivity factor thus doesn't seem to be software magic but rather infrastructure, piles of money, before sustainability or profitability come into play. This is what the monopolies stem from, only compounded by some Meltcafe/"network" effect (friction to switch, passive positive peer pressure inwards, passive negative outwards).
So in thinking of an alternative future path for social tools (SDK) and meta-tools (platforms, interop, work groups, etc), I think it's worth considering the infrastructure problem first. My money is on distributed and (partially but 'enough') decentralized systems (think bittorrent, tor, even DNS fundamentally), but regardless it belongs to the wider category of mutualization of resources (cloud vs on-prems debate, E2E crypt, etc). The solution must be preferable in terms of cost otherwise it's just not gonna happen.
The difference here is that the social platforms have been developed as a for profit company. Granted, FB has improved some of their underlying technologies, and released them back to the public in the way open source is meant. I do give them credit for that. However, the SDKs and APIs etc are direct work made by the platform. These tools are made specifically for interacting with that platform. They have every right to monetize that work. While some of us (at least I do) believe their method of making that money is super shady/unethical/etc, it is their business model. Other companies like Apache, Redhat, etc also offer us free things to use/play with while monetizing their enterprise/support services. A much more ethical method in my opinion.
> Other companies like Apache, Redhat, etc also offer us free things to use/play with while monetizing their enterprise/support services. A much more ethical method in my opinion.
Totally, this general business model can get as close as it gets to sustainable open-source. It seems hard to pull off though, lots of dead startups and projects out there, despite a few resounding successes.
2010s: "We take your security very seriously."
2020s: "We value your privacy."
Whether you like it or not, Facebook et al are tracking you regardless if you have an account.
Zuck even got asked about shadow profiles in his senate/congress hearing and he meekly weaseled out of answering by saying "I'll get my team to get back to you on that.". Translation: "I know the answer but telling you will destroy what's left of my reputation, and if I lie to you I risk perjuring myself and jail time.".
He also rattled something along the lines of "there's this thing called cookies", and the peanut gallery on Twitter misunderstood that deflection as him explaining to old senators what cookies are...
The decision to be the first,... to lead,... to tread without trepidation where others fear to go,... that's what I called growing a spine. "Won't work because everybody else is still stuck in there" is simply an expression of that fear.
Same goes for every other communication tech. Just because your endpoint is not spied upon, if every other endpoint is spied upon you gain nothing. If you don't use WhatsApp, but all your friends use WhatsApp to talk about you then you gained nothing.
If you really believe there is no such thing as collective decision-making then imho you already gave up in the fight for privacy.
But even if we boycot Google and Facebook, they are not the main problem. Their business model is the main problem. Spying on your users, training predictive models, and using those models to exploit people is simply too profitable, and therefore too attractive for any profit-seeking company to ignore.
Until we solve that problem by deciding as a society that these business models are not ok, this 1984-like world we currently live in will be our reality.
Maybe even... gasp SMS. Or "telephone".
Telegram uses highly nonstandard cryptography (the founder hired a bunch of math competition winners and told them to design encryption from first principles), doesn't have E2E by default (unlike Whatsapp), and is owned by a quite sketchy Russian oligarch who started spending on democracy-related causes after a falling out with Putin.
Telegram uses dubious encryption and lies about their business (for ex calling themselves a nonprofit when they aren't), and they retroactively retracted and then narrowed their bug bounty program.
WhatsApp hired the company behind Signal to help them implement Signal's encryption protocol. While it's not as good as Signal because it's not open source and thus can't be independently verified, if Facebook deliberately lied about the security of a product used by governments around the world they would face serious consequences.
See for example previous discussion .
For a detailed analysis of the flaws in their protocol, see 
If that's true that would be extremely serious, given that Whatsapp promises end-to-end encryption
> WhatsApp end-to-end encryption ensures only you and the person you're communicating with can read what's sent, and nobody in between, not even WhatsApp. Your messages are secured with locks, and only the recipient and you have the special keys needed to unlock and read your messages. For added protection, every message you send has an unique lock and key. All of this happens automatically: No need to turn on settings or set up special secret chats to secure your messages.
> Important: End-to-end encryption is always activated. There's no way to turn off end-to-end encryption.
I doubt this because WhatsApp is Facebook.
Lying to the govt. is pretty vague. What lie in particular are you referring to?
> engineer who has even an iota of consideration for privacy
I think it isn't hard to say current practices in tech willfully deceive users about the usage and the value of their data because that would be orthogonal to their business interest.
I think framing it like that is vastly more honest. Not down-playing expectations of privacy.
I think that is reductive of engineers opinions for one, and over-stating the behavior of these companies. How are people being deceived? Are they being lied to in the privacy agreements? That would be obviously deceptive and I can agree they should be transparent, but it's very public that data is part of the revenue generation for these places nowadays.
I think if people just expect to have a free service and give nothing up in return that isnt really a reasonable expectation anymore, so I don't find it deceptive or repugnant. Maybe there is an alternative where social media platforms don't rely on personal data and advertisements and I'd be all for that, but it doesn't exist now.
I do not use their service, and yet they stalk me around the web, with countless tracking pixels and like buttons, assembling my shadow profile. Yes, they are abusing privacy as much as real-world stalkers are.
I wouldn't personally – I'm about as anti-Facebook as it gets, but a lot of people (especially people not coming from a "tech" background) don't really appreciate the kind of shit Facebook pulls.
Let's play a game; how many degrees separated from Facebook is HN and YC? You go first, take a guess!
Let d:(x,y)->n be the degrees of separation between x and y. Since d(x,y)=0 implies x=y, and we know that FB and HN are not identical, we have d(FB,HN)>0.
Then, since d takes integral values we know that d(FB,HN)>=1 in any case.
Your hands aren't clean here, if you actually cared about avoiding Facebook at all costs, you wouldn't be here. The fact is, you don't (nor should you).
OAuth does not have this issue.
If you choose to login with Facebook, it is implicit that Facebook receives information.
I wanted to give a bit of context on this article, the story is a bit long though and there was no TLDR.
Here it goes: I wanted to protect my online privacy and having worked in advertising before, I know that user email, in addition to the cookie, is usually the common denominator to cross-reference user data. I tried, therefore, to generate a random email whenever I signed up on a new website via temporary email services like temp-mail but there are 3 issues:
a. I can't remember which email I used. This problem is alleviated with password manager though.
b. No way to reset password later as the email is already expired. This is also not fair if the website happens to be a good (aka not spammy) one and just want to contact me.
c. The flow is unbearable: I need to go to temp-mail, generate a random email, go back to the website, check temp-mail for the activation email, etc.
I dreamt to have a universal login button, like the "Login with Facebook/Google" one but without all the tracking and that can generate a random email at runtime. So SimpleLogin was born.
When creating SimpleLogin SDK, I tried to reverse-engineer popular SDKs like Facebook and Google to learn from them and discovered their not-very-ethical approaches. I haven't found any article talking about these practices so I decided to write one up.
I want to be as transparent as possible about the technology I'm using so if anyone has any questions, please feel free!
Also, I want to believe that, being open source, people would already discovered something fishy.
Did you get your user's consent to do that? Probably not.
It all depends on what users will tolerate in the name of convenience.
So it does come down to what you care about.
I'm saying give people choice, let them figure out what they care about. Making the choice for them is bad business and bad ethics. You don't know better than your users.
The problem is practical; do your users want the features or do they care about privacy? Let them make the choice, and don't hide it from them. That's the ethical behavior.
It's unethical to assume everyone values everything the same, including privacy. Some people don't care about it as much as you do, nor should they.
If you want to argue that privacy is not a right, we can start there.
You can give up your "human rights" for convenience/pleasure as long as you can reassert them down the line.
Signing in via Facebook is also a deliberate choice.
Given a person who wants to jump out of a plane, should it be okay to let them, even though it's a relatively high-risk activity? If the jumper doesn't care, is it ok then?
Given a person who wants to run for national public office, should it be okay for them to release their prior year tax returns, even though it's an exposure of their privacy? If the candidate doesn't care, is it ok then?
Turns out, this isn't an easy game to play, so stop trying to decide for others what they want for themselves. You don't know their situation.