Modernizing Authentication — What It Takes to Transform Secure Access
But with the rush to make websites 2.0 compliant, companies are throwing privacy and security considerations out the window in hopes of riding this new wave of catch-phrase coolness.
If you arent familiar with Sillycon Valleys latest and greatest VC-fundable buzzword, Wikipedia says that Web 2.0 refers to the next generation of Internet-based services, such as social networking and community-based sites, that let people collaborate and share information in new ways. Wikipedia itself is a prime example of this new era of interactivity and collaborative community.
|More Ray Everett-Church Columns|
|A Betrayal of Honorhttps://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=iThe Unwitting Privacy PioneersDude, Where's My Laptop?Google Spreadsheets: Secure Enough to Trust?Quest Sets Admirable Example in NSA Case|
Indeed, outsourced programmers from Bangalore to Mumbai, and everywhere else in the world, are riding the 2.0 wave by adding new customization and personalization features to every tired old website they can get their hands on.
One of the classic signs of a website trying to position itself as a 2.0 venture is the creation of an API, an Application Programming Interface, through which it allows other websites or software developers to access its capabilities and exchange data.
Excellent examples of APIs include the capability for website designers to incorporate Google and Yahoo maps and driving directions directly into their existing website. When your favorite restaurant embeds driving directions on their homepage, you may have an API to thank.
The proliferation of APIs and other types of data feeds, including Real Simple Syndication (RSS), have created the Internet cultural phenomenon known as the mash-up, in which sometimes multiple data sources are pulled together to create entirely new services. A great example is Zillow.com, which pulls property tax data, housing sales reports, and overlays it atop street maps and satellite images to show home values and to visualize real estate trends.
Theres no question that by making the content of their sites more easily accessible through APIs, companies are helping to create some really new and exciting services for consumers, all the while expanding the market for their existing products and services.
In my opinion, however, not every mashup, API, or user-driven experience is a smart idea.
Recently a colleague of mine suggested I try a service called Meebo which allows you to send and receive instant messages from all the major IM services through one interface. All you have to do is give Meebo your usernames and passwords for all your accounts and let them be the intermediary for all your online interactions thereafter.
Knowing full well that most consumers arent as jaded and suspicious as me, I took a quick spin through Meebos About Us section of their website and learned that if I signed up, the keys to my online realm would be under the care of people like Biz Guy, Mr. Sparkle, an Abraham Lincoln re-enactor, and someone called Server Chick, who just quit her day job.
The site also provided a link for something called privacy principles, which stated that while the company is very committed to security, were not all the way there yet.
Ironically, those candid revelations make Meebo among the most honest and forthright of all the Web 2.0 start-ups regarding the risks arising from such experiments in openness and wide-eyed trust.
While start-ups like Meebo are busily creating new possibilities for privacy and security disasters, the established Internet companies are also rushing headlong into their own potential problems. Among them is the current front-runner for my Greatest Looming Web 2.0 Disaster Award: the new API for the Yahoo! Mail service.
Earlier this month, Yahoo! announced that they were opening up their mail system to third-party developers who want to create applications that incorporate access to users Yahoo! email accounts. By utilizing the API, which reportedly includes an updated user login and authentication process, any developer can add the ability for users to send and receive email messages via their existing Yahoo! Mail account from within that developers proprietary application.
The idea is to make it easier for the Web 2.0 development community to integrate Yahoo! Mail into various new and interesting experiences, allowing Yahoo! to be more deeply embedded in the Internet of tomorrow.
But in my mind, the benefits of opening up the system are outweighed by the potential to create even more sophisticated kinds of man in the middle hacker attacks and new twists on the growing epidemic of phishing.
Phishing is the process by which hackers trick users into providing their usernames and passwords by creating sham versions of websites that masquerade as legitimate. Phishing works because most users arent very skeptical or discriminating when they are asked to log into their email, online banking account, eBay or PayPal account, or other online service.
Even if there is a way to secure the login process and to make it less susceptible to being replicated by phishers, theres still the matter of ill-intentioned application developers.
Oddly enough, when I think of those who could profit from creating a new interface and passing all of a Yahoo! users email through its systems for parsing and manipulation, first in line is Yahoo!s archrival, Google.
Google has promised users of its Gmail service that, through the wonders of sifting through your email box with its supercharged content sniffers, they will be able to serve advertisements based on the content of your email messages. By using the API process, could Gmail create an interface for users to import the mail from Yahoo and further erode its rivals advertising reach?
Just think: One day Gmail might also be able to deliver Yahoo! users a nagging email from their spouse, along with advertisements for divorce lawyers, discounts for dating services, and a sale price on the autobiography of Lorena Bobbitt half-off, of course.
This is less a security problem than a business problem but its one that I think about when trying to decide when to start short-selling Yahoo! stock.
For me, the biggest problem with ill-conceived Web 2.0 compliance is that its making it even harder to teach users how to protect themselves.
Just as we are getting users trained to be more suspicious of folks who ask them to log in via seemingly legitimate interfaces, systems like Meebo and the Yahoo! Mail API work to add further confusion as to what a legitimate login screen can look like.
Some of todays Web 2.0 concepts are absolutely amazing and changing the face of the Internet for the better. But in the rush to ride this new wave, too many companies are blinded by coolness and forget the fundamentals.
I only hope that more of todays Web 2.0 entrepreneurs will go back and spend some time with Privacy and Security 101, before their users and their exciting ideas get burned.