[HN Gopher] Sign in with Google has been removed for your privacy ___________________________________________________________________ Sign in with Google has been removed for your privacy Author : akoster Score : 89 points Date : 2022-12-10 19:13 UTC (3 hours ago) (HTM) web link (slimvoice.co) (TXT) w3m dump (slimvoice.co) | ilyt wrote: | "Google will no longer know you use our app! Hooray for privacy" | | "... but you still send me app related mails to my gmail account, | what does this change". | | "...... FREEEDOM!!!" | jahnu wrote: | Don't let the perfect become the enemy of the good. | [deleted] | intelVISA wrote: | Can't wait for the rise of libre hardware keys so more people can | escape to FIDO instead of being chained to adtech. | sys42590 wrote: | Why do they argue with privacy? | | If Google decides to lock your account for any reason, all your | third party accounts using Google's SSO are mostly fubar, as it's | currently almost impossible to get your Google account back. | cm2187 wrote: | But what about the privacy of the people not using google at | all. All other trackers are (or should) be blocked by my | adblocker, but my adblocker can't block the google sign-in | button because some people use that. So another way to defeat | anti-tracking software. | | Plus those google sign-in button have recently become extra- | obnoxious, opening a modal window over every page I visit to | invite me to sign-in with google. This is really back to the | 90s! | itake wrote: | This is true for most email addresses as well. If you use a | domain name for your email that is owned by another company, | then you you can be locked out of your email (and any | downstream accounts). | | I work in tech and 99% of my contacts are with @gmail (or some | other free email host). | sys42590 wrote: | Most sites that require an email for sign-up only verify the | email address once right after sign-up. | | So if Google ever locks my account, my other website | passwords continue to work, while SSO using Google is | instantly broken. | | Of course I won't be able anymore to reset my third party | passwords through my Gmail mailbox, but many sites allow to | change the email address if you know the password... | bloomingeek wrote: | F-ing Google locked me out of my account and my email because I | broke my cell, and then traded it in for a new one but Google | kept sending the verification to my broken cell. There's no one | to call for assistance! | helsontaveras18 wrote: | That sucks and this is something Google needs to fix, but for | everyone else: make sure to get backup codes for your Google | Account and place them in a password manager. | Eleison23 wrote: | k12sosse wrote: | I hate to be that guy but this seems like a user problem | tlogan wrote: | This website does not have any information about owners or | legal entity behind it. Who is running this? What is their | physical address? Where are they registered? | | Honest question: how do I know and verify they really care | about privacy and they are not one doing shady things? | | This is really honest question. How can anybody trust that | company x care about privacy without even know anything about | company x? | jchw wrote: | When it comes to SaaSes, absolutely nothing. It's all social. | Even knowing the owners doesn't give you much more assurance | that it's legit, unless they're very well known. | | That said, most liars are really really bad at lying. "We | care about your privacy! Now let us load 1000 tracking | libraries, kthxbai" is pretty easy to spot. | | I think the scarier case is when dealing with a government | adversary. They're simply not as stupid, and you never know | when it could happen: https://archive.ph/rI8mE | | For those cases, I get unnerved when things seem _too_ good | to be true. If I didn 't know former Mullvad employee(s), I'd | be deeply concerned about them, too. | yucky wrote: | > This website does not have any information about owners or | legal entity behind it. | | Yes it does. It's all over their TOS. | jchw wrote: | If you use SSO with the account you _were_ going to use your | e-mail address with, it makes little difference whether you | used OAuth2 vs traditional e-mail based authentication. You 're | locked out. | | If something happens, like OAuth2 stops working, most websites | allow password reset to the e-mail address connected to the | account, and then can log-in without OAuth2. | | The concern here is _probably_ related to some Log-in with | Google scripts that run on the frontend, although if they were | just using normal OAuth2, then I think they are wasting their | time: whatever sensitive information Google gets via OAuth2 | they also get via the unencrypted e-mails you 're sending to | them anyways... | giancarlostoro wrote: | Arguably if you can prove to the provider that the email is | FUBAR and you own the account, it might be easier for them to | change out the email on you. Maybe a good reason to support | login via email and / or phone number. If you lose both, | you're screwed. | codazoda wrote: | I use a custom domain and forward all mail to a web based | email provider for this reason. If my provider drops me, I | can move to another and update my forwarding. There's still a | risk I could lose the domain somehow, but I don't hear about | that happening nearly as often. | derwiki wrote: | I have a Gmail rule set up to forward all of my mail to a | Protonmail account as a back up. So I can still perform | password resets, etc | charcircuit wrote: | This doesn't increase anyone's privacy | | Before: When signing up with Google the owner gets your name, | email, and profile picture | | After: When signing up without Google the owner gets your name | and email, but the owner can make an API request to get your | profile picture. | | In both scenarios the same amount of information is accessible by | the site. | theodorejb wrote: | If I sign in with Google, won't Google know I have an account | on that site? I would consider that a privacy issue. | Gigachad wrote: | The can just scan for signup emails and get the same thing | ilyt wrote: | If you put email account in the login they will know on the | first e-mail the site sends to your email | theodorejb wrote: | Not if I don't use a Google email address. :) | rezonant wrote: | Yes but then you wouldn't have been able to use Sign in | with Google anyway. | intelVISA wrote: | And Here's Why That's a Good Thing | svnpenn wrote: | CharlesW wrote: | What does that have to do with this site? | Barrin92 wrote: | That is literal misinformation. | (https://support.google.com/mail/answer/6603?hl=en) | | _" When you open Gmail, you'll see ads that were selected to | show you the most useful and relevant ads. The process of | selecting and showing personalized ads in Gmail is fully | automated. These ads are shown to you based on your online | activity while you're signed into Google. We will not scan or | read your Gmail messages to show you ads."_ | | Also assuming it was true, if you deny people the Google | Sign-in they will simply use their Gmail address next, so | you'd have actually increased usage of the service. | Brilliantly thought out strategy. | ratorx wrote: | This used to be the case, but is explicitly mentioned as | untrue now: | https://support.google.com/mail/answer/6603?hl=en-GB | azornathogron wrote: | They stopped doing that in 2017 or so. | | https://support.google.com/mail/answer/6603?hl=en-GB | | https://www.theverge.com/2017/6/23/15862492/google-gmail- | adv... | | https://www.nytimes.com/2017/06/23/technology/gmail-ads.html | sieabahlpark wrote: | Arnavion wrote: | https://news.ycombinator.com/item?id=27526308 | Volundr wrote: | Agree with it or not, it's about limiting the information | Google gets about you. | tlogan wrote: | This website does not have any information about owners or legal | entity behind it. Who is running this? What is their physical | address? Where are they registered? | | Meaning they are managing invoices: the above informantion is | very important. | | This seems more like Google ban them than they did something | about "privacy". | iKlsR wrote: | Fwiw, I've been using them since 2016 and have sent hundreds of | invoices. Simple and functional tool. | tlogan wrote: | That is not my point. My point is that you can not (and you | must not) just blindly trust random entities claiming "I'm | about privacy" without being transparent who they are, where | they are from and all these company informations required by | GDPR or California privacy protection laws. | [deleted] | alin23 wrote: | Their company "Sensor Station LLC" is mentioned multiple times | in the Terms: https://slimvoice.co/terms | | Data on that company can be found here: | https://opengovus.com/virginia-business/S8451587 | tlogan wrote: | This should be listed in about page and privacy page. Note | that GDPR requires physical address also to be listed on | privacy page: but I guess they do not care about that stupid | GDPR privacy thing. | yucky wrote: | A Virginia company is going to care as much about GDPR as a | EU country would care about the 2nd Amendment. | scarmig wrote: | Encouraging worse security practices (dumping SSO for password | logins) for an ideological goal that helps no one's privacy. | throwntoday wrote: | The pervasiveness of any Google code running on webpages across | the net has been a danger to everyone's privacy. I think this | is a worthwhile tradeoff though I'm sure many like you will | disagree. | ilyt wrote: | I don't see why the page would be the one deciding that | tradeoff for user. As long as you can pick plain old | user/password there is no ham offering other options | toomuchtodo wrote: | Passkeys becoming prevalent makes dropping BigTech SSO for | personal use more palatable. | | Google will still store and sync the keys for users of Android | and Chrome, but their code won't run on sites who opt out of | Login with Google. It's an evolution of the security model. | This is arguably superior considering the ability to migrate | passkeys elsewhere. You have improved sovereignty over your | auth story (versus "haha google locked you out of everything | and you have no recourse"). | | TLDR PKI > consumer federated identity | cmdli wrote: | For passkeys, I think allowing users to migrate their | credentials wherever they want is key. I know | Google/Apple/etc are working on a potential solution for | that, but I think third-party solutions would be best from an | "incentive alignment" perspective (Google and Apple don't | want you moving away from their ecosystem). | | As an aside, I would like to plug my own passkey solution, | Bulwark Passkey (https://bulwark.id) which is open source and | allows credential exports. Whatever passkey solutions people | end up using, managing credentials is going to be the key | challenge (pun intended). | jefftk wrote: | I use a hardware security token to log into my Google account | and then use that to log in to several other services. If I | were to lose my token, I would still have my backup tokens, | and could update this account to use a new token and unenroll | the old token. | | If instead, every site I had ever logged into kept track of | my tokens I would need to visit each of them and do the same | thing. | | (It's already messier than that because some accounts I have | --GitHub and Facebook--don't accept SSO but are important | enough to be worth protecting with hardware tokens. But I | don't want to go farther in this direction!) | toomuchtodo wrote: | We're not talking a loss of a hardware authenticator, we're | talking the loss of access to your Google account. Worst | case with passkeys is you lose access to the cloud corpus | of your keys due to loss of account access while still | having them on your device (and/or a passkey manager). | jefftk wrote: | I think I'm much much more likely to lose a hardware | authenticator than my Google account | toomuchtodo wrote: | https://hn.algolia.com/?q=google+account+locked+out | | https://news.ycombinator.com/item?id=30771057 | | And that's just HN participants, not the unknown layman | cohort. | jefftk wrote: | If you look through those they are almost all about | people forgetting their password or losing whatever they | are using for 2FA: that is exactly what I'm worried | about! | | In my particular case, I am happy with my 2FA setup for | Google (three security keys, across multiple locations) | so I think that category of lockout is pretty unlikely. | | And I've already lost my keys once in my life, about 20 | years ago. | stickfigure wrote: | How do you think that compares to "lost my keys" or "lost | my wallet"? | simplotek wrote: | > Encouraging worse security practices (dumping SSO for | password logins) for an ideological goal that helps no one's | privacy. | | It hardly seems reasonable or rational to attack the mere | thought of handing out all auth responsibilities to a shady | monopoly with a track record of dubious practices and | government tie-ins for being "an ideological goal that helps no | one's privacy". | [deleted] | LightHugger wrote: | password logins are better security than phone verification in | many cases. | jefftk wrote: | I'm curious what happened for people who had existing accounts | configured with Google SSO... | chrisbolt wrote: | It says on the page: Sign in with Google has | been removed for your privacy. Click here to create a | password for your account. | stickfigure wrote: | "Your 2FA authentication has been downgraded to email/password | for ideological reasons." | ajross wrote: | That's exactly my impression too. Authentication is _hard_. And | this isn 't some random site wanting to store user data, | they're doing invoice management! (So... not quite handling | money on behalf of users, but pretty darn close in terms of | liability.) | | Regardless of your feelings on Big Tech and Privacy and | whatnot, this absolutely looks like a security downgrade to me. | If I were someone looking for para-financial services like this | to phish with fake users for fraud purposes, I'd probably start | with a site like Slimvoice. | | Personally I think there's a good argument to be made about the | benefits and tradeoffs to allowing giant cloud companies to | control the idea of "identity" on the internet. But if there's | any market segment where big companies with deep pockets and | extensive technical resources bring value, it's this one. | catiopatio wrote: | > Authentication is _hard_. | | No, it's not. | | It's certainly not harder or more complicated than the OAuth | protocol used support Google-based sign-in. | | Exactly what unique value do you believe these big companies | bring, exactly? | rattlesnakedave wrote: | It actually is very hard. There's a long tail of concerns | that make it difficult to do authentication as well as a | major player in the space. | catiopatio wrote: | What exactly about it is hard? | iLoveOncall wrote: | And your can clearly see from the "Code" section in the same | page as the privacy policy that this is only ideological and | that this guy just likes to push his bad practices on others. | esperent wrote: | Well, only if the person has 2FA set up in their Google | account, which most people don't in my experience. | | That aside, do you have a recommendation for auth that provides | good privacy while also having wide adoption and ease of | integration similar to Google or Facebook auth? And also 2FA of | course. | | If there are no options then I think our problem is bigger than | this particular dev's ideology. | cmeacham98 wrote: | It's not that difficult to roll your own secure auth, this | website is halfway there. Add TOTP and Webauthn and they're | basically done (there's plenty of good libraries out there | for both). | | They also really should switch from bcrypt to something more | modern like argon2, but bcrypt is a lot better than the | unsalted MD5 I've seen in a lot of places. | ISL wrote: | Do we know that they haven't implemented another 2FA mechanism | behind that email/password? | cmeacham98 wrote: | It takes all of 30 seconds to sign up an account and check. I | was not offered 2FA during sign up, and cannot find anywhere | on the site to enable it after logging in. If you don't | believe me or think that I somehow missed it, feel free to | create your own account and test. | andrepd wrote: | Shit, I had no idea Google had a monopoly on 2fa! That's | terrible. | esrauch wrote: | They don't, but this website doesn't have it, right? | tagawa wrote: | Aside from the privacy improvement, what a beautifully functional | site. | flas9sd wrote: | indeed, the about page also is not your usual legal boilerplate | either | Crono wrote: | The developer made a nice article on how he did it with almost | none javascript. Interesting read: https://javascript.works- | hub.com/learn/a-javascript-free-fro... | jgalt212 wrote: | How many sites are out there with a "Sign In with Google" form | that solely exists to harvest peoples' Google credentials? | HaZeust wrote: | That's not how OAuth works, which is what "Sign In with Google" | utilizes. In order to Sign In with Google through a third-party | software, Google and the third-party software must both agree | to the arrangement. | | In the event they do, the third-party software adds a Google | Sign In flow to their software, whereas their users can press a | call-to-action for signing in with Google, which would trigger | an opening of a separate Google-owned domain in a new min- | browser window that the third-party software cannot access (and | therefore not harvest information from). This min-window then | sends the user back to the third-party software domain upon | completion with an authentication token - which could be in the | form of a URL query string, an HTTP method, a cookie, or even | collection of arbitrary browser information for fingerprinting. | The third-party site then sends that authentication token back | to Google via their API, and Google sends back ONLY what that | authentication token is permitted to grant access to - which | would not be Google credentials. ___________________________________________________________________ (page generated 2022-12-10 23:00 UTC)