• Why does this forum want to access my Youtube? (Also strange stuff with notifications)

    I’ll be short and I’ll dump two problems into a single thread.

    1. So today I logged in and found that Antergos SSO wants, like, a lot of things from my Google account. This thread complains about how Antergos wanting to know basic profile info. Yea it doesn’t end here, it also wants to access my Youtube account.

    2. When I logged in today (after a long time), the bell lit up claiming I have three notifications. After I clicked in, there was no notifications.

  • HI.
    Yes, I know. I was a little concerned myself over the SSO. I, personally have never really been a fan of social media sites, Google, and others using my personal information as a gold mine. Linking queries and connecting all the dots to where, what, why, and how users are on the Internet.

    I read that there was study by some researchers at some University in the USA (Indiana University) and as well as the guys at the Microsoft research wherein SSO allowed scammers to log in as somebody else. There have been some incidents of users being able to login as other users right here in these forums. Not to say that our guys in this forum are scammers, but you can see 1st hand the results of the flaws of the new SSO for this forum. But it is not good and I am not really liking it.

    Here is a quote from the website that I found earlier on how this scam into another’s web login was done:

    In one of the flaws the researchers exposed, for example, not all websites confirmed that a verification coming from OpenID included all of the items the website asked to be confirmed, such as the first name, last name and email address. The researchers were able to access the request, delete one piece of requested information (the email address, for example) as it went to OpenID and simply re-insert it in the signed okay from OpenID. In this way, even a hacker who didn't control the email address linked to the user's account on the website in question could log in, and potentially make purchases, using that person's account

    Scares the crap out of me. I am hoping that a patch was at some point in history done to correct this flaw. Link to above quote

    All in all, I really don’t like it. Privacy really does not exist any longer and honestly, I wish the SSO for our forum would disapear and go back to the old log in that we had. There was, in my opinion, nothing wrong with it.

  • @Tamius-Han

    1. I assume you used Google SSO when you registered your account initially? The only thing that was changed from the previous SSO setup (and also the only thing that isn’t part of the bare-minimum scope) is the addition of Youtube. The intention was to give users the option to display their Youtube Channel on their Profile pages. I thought the Youtube access was read-only, but after further review I see that it’s read/write and there is no read-only option. Because there is no read-only option I am going to remove Youtube from the requested scopes. Thanks for bringing this to my attention! 😃
    2. Not sure what caused this. Let us know if it continues to be a problem.

    @Modisc The information you referenced is referring to OpenID which is not the technology behind the new SSO service (nor the previous one). Our SSO has always used OAuth2 which is another open standard for authorization that does not suffer from the same issues that plague OpenID. That’s not to say its perfect or that there are no considerations to be made in regards to using it. However, it is what most of the web uses these days so should any issues be discovered it will be done so publicly and addressed swiftly.

    I think there might be some confusion in regards to the use of SSO. At its most basic level, our SSO service does nothing more than allow you to log in to the wiki with your forum credentials and vice versa. If you have a forum or wiki account then you can continue to log in with those credentials. Use of a Social SSO Provider (eg. Facebook, Google, etc) is not required. It is only provided as a convenience option.

    There are still some kinks to work out with the implementation (obviously), but rest assured that we are working on it and we are not cutting any corners (codewise). The security of our online services and the security of our users are both very important to us.

    Best Regards,

  • @lots-0-logs
    I did not know that both SSO and the OpenID are 2 seperate technologies.
    I was under the impression that they are both one and the same.
    Oh well, my bad then. :)

Posts 4Views 1303
Log in to reply
Bloom Email Optin Plugin

Looks like your connection to Antergos Community Forum was lost, please wait while we try to reconnect.