Google will also be plopping $1B into Mesa
As a member of OpenID, I now question why I cannot use ApplePay to renew my membership with my mostly male ******* peers.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
OpenID Foundation Claims 'Sign In with Apple' Could Expose Users to Security and Privacy Risks
- Thread starter MacRumors
- Start date
- Sort by reaction score
Google will also be plopping $1B into Mesa
As a member of OpenID, I now question why I cannot use ApplePay to renew my membership with my mostly male ******* peers.
It's not about user lock-in. OpenID is designed by Google and cronies to invade your privacy. Apple is actually respecting privacy here so of court it's a threat to companies who want to scape ever scrap of your personal data they can. These companies are using false facts to try to make Apple look bad.
Why are they more concerned? Do they think Apple’s methods is less secure, or are they concerned because it’s going to be a burden to add the new code?
I know tons of apple users who primarily use WhatsApp. Far superior to the rubbish iMessage
Hmmm. I don't think I need to know more to figure out how "nonprofit" this organization is.
It makes a perfect sense for them to be on a Panic mode! A bit strange that MacRumors writers cannot figure out this much!!
The goal was never to interoperate with OpenID, so violations of the OpenID spec don't really matter. What was missing was a discussion of what the risks were because they didn't do the same thing as OpenID.
For example does the lack of a nonce mean that Apple's method is more open to replay attacks?
Some other things, like "the token will be big" is probably irrelevant.
For example does the lack of a nonce mean that Apple's method is more open to replay attacks?
Some other things, like "the token will be big" is probably irrelevant.
Apple should force developers to implement "sign in with Apple" in order to push back the influence of malignant companies like Facebook and Co.
[doublepost=1561963180][/doublepost]If you use Gmail to sign in, they have access to the exact same stuff, and they make more off of user data than anyone. What’s your point?
You have now repeated this twice. Can you point to something in the spec that demonstrates this?
Apple’s protocol implementation does nothing to “respect privacy”, it is their policies that do that. They make a choice not to store or track any of the login (a great thing), but that has nothing to do with the protocol itself. They also choose not to share most extended attributes (also completely allowed by the spec).
I have not gone through all the examples in the OpenID complaint, but at least the one I already referenced was posted in 2016, well before Apple specified Sign in with Apple. Unless you are saying that OpenID falsely created this security advisory and fix, 3 years ago, knowing that Apple would not adopt it (in which case we have other issues and need not discuss this further), your argument just does not hold water.
They stopped using OpenID 2.0 (and took way too long to do so IMHO), but they still use OpenID Connect. It is the standard behind SSO with Google.
I know almost no Americans who use WhatsApp. Especially since they got bought by Facebook, most of my non-Apple ecosystem friends use either Signal or Telegram. All my Apple ecosystem (Americans and others) primarily use iMessage for communication with each other.
You have, you just haven't known because its been branded Sign in with Google or the like.
[doublepost=1561964710][/doublepost]
Apple made no material changes to OpenID. They simply implemented it incorrectly/incompletely. There are known and documented security issues with some of the mistakes they made in their implementation.
Yep, assumedly the purpose of the open letter.
Don't know who 'them' is, or what the dollar signs are. OIDF is a non-profit industry consortium trying to create secure solutions for this problem space. Apple is a for-profit company adding a privacy-preserving convenience feature to their platform.
I honestly think Apple engineers are trying to do the right thing, but Apple's compartmentalization and secrecy has prevented them from working with third parties.
This is unrelated to the topic, but WhatsApp is the ICQ of messaging app. It is archaic, the fact that it can only be used in one single phone device (don’t get me started on the web version). The only thing WhatsApp has is userbase. It reminds me the days of AOL, where users are clinging to it because their friends are on it.
This. OpenID pointed out some flaws, saying plz fix it. Then said Apple is more then welcome to use OpenID spec in order to certificate it and make it easier for developers to implement and security engineers to fix bugs.
[doublepost=1561965864][/doublepost]
Both, primarily security, which macrumors failed to communicate.
Or a more likely answer is you have blogs spinning it one way or the other mix with fanboys/haters blowing it and screaming one way or the other with little understanding of the basic issue.
The way it was presented back in terms of spec violation is fairly common and just a way of saying how to fix it. They do not have a way to pass it on to Apple directly and know it will not get lost.
I wish that my non-iMessage friends would use Signal. I'm getting tired of messaging myself... lol
It's hard to explain why text messaging is not secure and what end-to-end encryption is when they really don't care to understand it. I know people who still don't have passwords on their devices. I demonstrated how easy Touch ID was, but to no avail.
Link from Article:
https://bitbucket.org/openid/connec...-in-with-Apple-differs-from-OpenID-Connect.md
- When nonce is provided in the code or code id_token grant types, it isn’t included in the id_token returned. Not having the nonce enables known attacks.
- The code id_token response type does not include c_hash in the returned id_token.
- The code id_token response type returns the response parameters as query parameters, not in the fragment.
- Providing a prompt parameter with any value (e.g. login or consent) or empty results in a 400 with no body.
- When max_age is requested, the id_token does not include an auth_time claim.
make it policy to only reply in signal. worked for me now we use signal every time.
Actually Microsoft’s business model is based on customer paying for the service. User privacy is one of the main selling points in this day and age of the old tech companies like Apple and Microsoft.
Regarding data, the data miners use AuthO or am I wrong? OpenID in itself should be safe. Then again, I wouldn’t use Google ID regardless of the protocol they use. Seriously, that company is beyond shady but just more clever and smarter than FB.
That is true for the enterprise market. However, Microsoft is increasingly more data-collecting-oriented on the consumer side. Just look at the various permissions on Windows 10 and the data collection MS is asking for.
Frankly, this thread consist 90%+ of posts of people who have absolutely no clue what OpenID is and how it works.
However, that doesn't change that "sign in with provider" isn't a good solution to the authentication problem... What the world really needs is a token/smartcard based approach much like the yubikeys, just with on-device authentication, like the onlykey. Some NFC device with a PIN-pad to unlock it...
That's what they do if the App offer "sign in with if other serverice".
However, that doesn't change that "sign in with provider" isn't a good solution to the authentication problem... What the world really needs is a token/smartcard based approach much like the yubikeys, just with on-device authentication, like the onlykey. Some NFC device with a PIN-pad to unlock it...
Most of my non-American (European, Latin America, and Asia) Apple friends use either Line or Whatsapp. Only some of them have recently used iMessage as a secondary to talk to Americans.
Lack of multi-device support is one of my main issues (being owned by Facebook is the other). I prefer iMessage, followed by telegram (just do not use it for anything that I do not want the Russian government seeing)
and then Signal (seems to be more secure than WhatsApp).Not a fan of WhatsApp but almost everyone I know (Apple or Android) has it, and no one I know has Telegram or Signal. Also an American here.