[HN Gopher] Sign in with Google has been removed for your privacy
___________________________________________________________________
Sign in with Google has been removed for your privacy
Author : akoster
Score : 89 points
Date : 2022-12-10 19:13 UTC (3 hours ago)
(HTM) web link (slimvoice.co)
(TXT) w3m dump (slimvoice.co)
| ilyt wrote:
| "Google will no longer know you use our app! Hooray for privacy"
|
| "... but you still send me app related mails to my gmail account,
| what does this change".
|
| "...... FREEEDOM!!!"
| jahnu wrote:
| Don't let the perfect become the enemy of the good.
| [deleted]
| intelVISA wrote:
| Can't wait for the rise of libre hardware keys so more people can
| escape to FIDO instead of being chained to adtech.
| sys42590 wrote:
| Why do they argue with privacy?
|
| If Google decides to lock your account for any reason, all your
| third party accounts using Google's SSO are mostly fubar, as it's
| currently almost impossible to get your Google account back.
| cm2187 wrote:
| But what about the privacy of the people not using google at
| all. All other trackers are (or should) be blocked by my
| adblocker, but my adblocker can't block the google sign-in
| button because some people use that. So another way to defeat
| anti-tracking software.
|
| Plus those google sign-in button have recently become extra-
| obnoxious, opening a modal window over every page I visit to
| invite me to sign-in with google. This is really back to the
| 90s!
| itake wrote:
| This is true for most email addresses as well. If you use a
| domain name for your email that is owned by another company,
| then you you can be locked out of your email (and any
| downstream accounts).
|
| I work in tech and 99% of my contacts are with @gmail (or some
| other free email host).
| sys42590 wrote:
| Most sites that require an email for sign-up only verify the
| email address once right after sign-up.
|
| So if Google ever locks my account, my other website
| passwords continue to work, while SSO using Google is
| instantly broken.
|
| Of course I won't be able anymore to reset my third party
| passwords through my Gmail mailbox, but many sites allow to
| change the email address if you know the password...
| bloomingeek wrote:
| F-ing Google locked me out of my account and my email because I
| broke my cell, and then traded it in for a new one but Google
| kept sending the verification to my broken cell. There's no one
| to call for assistance!
| helsontaveras18 wrote:
| That sucks and this is something Google needs to fix, but for
| everyone else: make sure to get backup codes for your Google
| Account and place them in a password manager.
| Eleison23 wrote:
| k12sosse wrote:
| I hate to be that guy but this seems like a user problem
| tlogan wrote:
| This website does not have any information about owners or
| legal entity behind it. Who is running this? What is their
| physical address? Where are they registered?
|
| Honest question: how do I know and verify they really care
| about privacy and they are not one doing shady things?
|
| This is really honest question. How can anybody trust that
| company x care about privacy without even know anything about
| company x?
| jchw wrote:
| When it comes to SaaSes, absolutely nothing. It's all social.
| Even knowing the owners doesn't give you much more assurance
| that it's legit, unless they're very well known.
|
| That said, most liars are really really bad at lying. "We
| care about your privacy! Now let us load 1000 tracking
| libraries, kthxbai" is pretty easy to spot.
|
| I think the scarier case is when dealing with a government
| adversary. They're simply not as stupid, and you never know
| when it could happen: https://archive.ph/rI8mE
|
| For those cases, I get unnerved when things seem _too_ good
| to be true. If I didn 't know former Mullvad employee(s), I'd
| be deeply concerned about them, too.
| yucky wrote:
| > This website does not have any information about owners or
| legal entity behind it.
|
| Yes it does. It's all over their TOS.
| jchw wrote:
| If you use SSO with the account you _were_ going to use your
| e-mail address with, it makes little difference whether you
| used OAuth2 vs traditional e-mail based authentication. You 're
| locked out.
|
| If something happens, like OAuth2 stops working, most websites
| allow password reset to the e-mail address connected to the
| account, and then can log-in without OAuth2.
|
| The concern here is _probably_ related to some Log-in with
| Google scripts that run on the frontend, although if they were
| just using normal OAuth2, then I think they are wasting their
| time: whatever sensitive information Google gets via OAuth2
| they also get via the unencrypted e-mails you 're sending to
| them anyways...
| giancarlostoro wrote:
| Arguably if you can prove to the provider that the email is
| FUBAR and you own the account, it might be easier for them to
| change out the email on you. Maybe a good reason to support
| login via email and / or phone number. If you lose both,
| you're screwed.
| codazoda wrote:
| I use a custom domain and forward all mail to a web based
| email provider for this reason. If my provider drops me, I
| can move to another and update my forwarding. There's still a
| risk I could lose the domain somehow, but I don't hear about
| that happening nearly as often.
| derwiki wrote:
| I have a Gmail rule set up to forward all of my mail to a
| Protonmail account as a back up. So I can still perform
| password resets, etc
| charcircuit wrote:
| This doesn't increase anyone's privacy
|
| Before: When signing up with Google the owner gets your name,
| email, and profile picture
|
| After: When signing up without Google the owner gets your name
| and email, but the owner can make an API request to get your
| profile picture.
|
| In both scenarios the same amount of information is accessible by
| the site.
| theodorejb wrote:
| If I sign in with Google, won't Google know I have an account
| on that site? I would consider that a privacy issue.
| Gigachad wrote:
| The can just scan for signup emails and get the same thing
| ilyt wrote:
| If you put email account in the login they will know on the
| first e-mail the site sends to your email
| theodorejb wrote:
| Not if I don't use a Google email address. :)
| rezonant wrote:
| Yes but then you wouldn't have been able to use Sign in
| with Google anyway.
| intelVISA wrote:
| And Here's Why That's a Good Thing
| svnpenn wrote:
| CharlesW wrote:
| What does that have to do with this site?
| Barrin92 wrote:
| That is literal misinformation.
| (https://support.google.com/mail/answer/6603?hl=en)
|
| _" When you open Gmail, you'll see ads that were selected to
| show you the most useful and relevant ads. The process of
| selecting and showing personalized ads in Gmail is fully
| automated. These ads are shown to you based on your online
| activity while you're signed into Google. We will not scan or
| read your Gmail messages to show you ads."_
|
| Also assuming it was true, if you deny people the Google
| Sign-in they will simply use their Gmail address next, so
| you'd have actually increased usage of the service.
| Brilliantly thought out strategy.
| ratorx wrote:
| This used to be the case, but is explicitly mentioned as
| untrue now:
| https://support.google.com/mail/answer/6603?hl=en-GB
| azornathogron wrote:
| They stopped doing that in 2017 or so.
|
| https://support.google.com/mail/answer/6603?hl=en-GB
|
| https://www.theverge.com/2017/6/23/15862492/google-gmail-
| adv...
|
| https://www.nytimes.com/2017/06/23/technology/gmail-ads.html
| sieabahlpark wrote:
| Arnavion wrote:
| https://news.ycombinator.com/item?id=27526308
| Volundr wrote:
| Agree with it or not, it's about limiting the information
| Google gets about you.
| tlogan wrote:
| This website does not have any information about owners or legal
| entity behind it. Who is running this? What is their physical
| address? Where are they registered?
|
| Meaning they are managing invoices: the above informantion is
| very important.
|
| This seems more like Google ban them than they did something
| about "privacy".
| iKlsR wrote:
| Fwiw, I've been using them since 2016 and have sent hundreds of
| invoices. Simple and functional tool.
| tlogan wrote:
| That is not my point. My point is that you can not (and you
| must not) just blindly trust random entities claiming "I'm
| about privacy" without being transparent who they are, where
| they are from and all these company informations required by
| GDPR or California privacy protection laws.
| [deleted]
| alin23 wrote:
| Their company "Sensor Station LLC" is mentioned multiple times
| in the Terms: https://slimvoice.co/terms
|
| Data on that company can be found here:
| https://opengovus.com/virginia-business/S8451587
| tlogan wrote:
| This should be listed in about page and privacy page. Note
| that GDPR requires physical address also to be listed on
| privacy page: but I guess they do not care about that stupid
| GDPR privacy thing.
| yucky wrote:
| A Virginia company is going to care as much about GDPR as a
| EU country would care about the 2nd Amendment.
| scarmig wrote:
| Encouraging worse security practices (dumping SSO for password
| logins) for an ideological goal that helps no one's privacy.
| throwntoday wrote:
| The pervasiveness of any Google code running on webpages across
| the net has been a danger to everyone's privacy. I think this
| is a worthwhile tradeoff though I'm sure many like you will
| disagree.
| ilyt wrote:
| I don't see why the page would be the one deciding that
| tradeoff for user. As long as you can pick plain old
| user/password there is no ham offering other options
| toomuchtodo wrote:
| Passkeys becoming prevalent makes dropping BigTech SSO for
| personal use more palatable.
|
| Google will still store and sync the keys for users of Android
| and Chrome, but their code won't run on sites who opt out of
| Login with Google. It's an evolution of the security model.
| This is arguably superior considering the ability to migrate
| passkeys elsewhere. You have improved sovereignty over your
| auth story (versus "haha google locked you out of everything
| and you have no recourse").
|
| TLDR PKI > consumer federated identity
| cmdli wrote:
| For passkeys, I think allowing users to migrate their
| credentials wherever they want is key. I know
| Google/Apple/etc are working on a potential solution for
| that, but I think third-party solutions would be best from an
| "incentive alignment" perspective (Google and Apple don't
| want you moving away from their ecosystem).
|
| As an aside, I would like to plug my own passkey solution,
| Bulwark Passkey (https://bulwark.id) which is open source and
| allows credential exports. Whatever passkey solutions people
| end up using, managing credentials is going to be the key
| challenge (pun intended).
| jefftk wrote:
| I use a hardware security token to log into my Google account
| and then use that to log in to several other services. If I
| were to lose my token, I would still have my backup tokens,
| and could update this account to use a new token and unenroll
| the old token.
|
| If instead, every site I had ever logged into kept track of
| my tokens I would need to visit each of them and do the same
| thing.
|
| (It's already messier than that because some accounts I have
| --GitHub and Facebook--don't accept SSO but are important
| enough to be worth protecting with hardware tokens. But I
| don't want to go farther in this direction!)
| toomuchtodo wrote:
| We're not talking a loss of a hardware authenticator, we're
| talking the loss of access to your Google account. Worst
| case with passkeys is you lose access to the cloud corpus
| of your keys due to loss of account access while still
| having them on your device (and/or a passkey manager).
| jefftk wrote:
| I think I'm much much more likely to lose a hardware
| authenticator than my Google account
| toomuchtodo wrote:
| https://hn.algolia.com/?q=google+account+locked+out
|
| https://news.ycombinator.com/item?id=30771057
|
| And that's just HN participants, not the unknown layman
| cohort.
| jefftk wrote:
| If you look through those they are almost all about
| people forgetting their password or losing whatever they
| are using for 2FA: that is exactly what I'm worried
| about!
|
| In my particular case, I am happy with my 2FA setup for
| Google (three security keys, across multiple locations)
| so I think that category of lockout is pretty unlikely.
|
| And I've already lost my keys once in my life, about 20
| years ago.
| stickfigure wrote:
| How do you think that compares to "lost my keys" or "lost
| my wallet"?
| simplotek wrote:
| > Encouraging worse security practices (dumping SSO for
| password logins) for an ideological goal that helps no one's
| privacy.
|
| It hardly seems reasonable or rational to attack the mere
| thought of handing out all auth responsibilities to a shady
| monopoly with a track record of dubious practices and
| government tie-ins for being "an ideological goal that helps no
| one's privacy".
| [deleted]
| LightHugger wrote:
| password logins are better security than phone verification in
| many cases.
| jefftk wrote:
| I'm curious what happened for people who had existing accounts
| configured with Google SSO...
| chrisbolt wrote:
| It says on the page: Sign in with Google has
| been removed for your privacy. Click here to create a
| password for your account.
| stickfigure wrote:
| "Your 2FA authentication has been downgraded to email/password
| for ideological reasons."
| ajross wrote:
| That's exactly my impression too. Authentication is _hard_. And
| this isn 't some random site wanting to store user data,
| they're doing invoice management! (So... not quite handling
| money on behalf of users, but pretty darn close in terms of
| liability.)
|
| Regardless of your feelings on Big Tech and Privacy and
| whatnot, this absolutely looks like a security downgrade to me.
| If I were someone looking for para-financial services like this
| to phish with fake users for fraud purposes, I'd probably start
| with a site like Slimvoice.
|
| Personally I think there's a good argument to be made about the
| benefits and tradeoffs to allowing giant cloud companies to
| control the idea of "identity" on the internet. But if there's
| any market segment where big companies with deep pockets and
| extensive technical resources bring value, it's this one.
| catiopatio wrote:
| > Authentication is _hard_.
|
| No, it's not.
|
| It's certainly not harder or more complicated than the OAuth
| protocol used support Google-based sign-in.
|
| Exactly what unique value do you believe these big companies
| bring, exactly?
| rattlesnakedave wrote:
| It actually is very hard. There's a long tail of concerns
| that make it difficult to do authentication as well as a
| major player in the space.
| catiopatio wrote:
| What exactly about it is hard?
| iLoveOncall wrote:
| And your can clearly see from the "Code" section in the same
| page as the privacy policy that this is only ideological and
| that this guy just likes to push his bad practices on others.
| esperent wrote:
| Well, only if the person has 2FA set up in their Google
| account, which most people don't in my experience.
|
| That aside, do you have a recommendation for auth that provides
| good privacy while also having wide adoption and ease of
| integration similar to Google or Facebook auth? And also 2FA of
| course.
|
| If there are no options then I think our problem is bigger than
| this particular dev's ideology.
| cmeacham98 wrote:
| It's not that difficult to roll your own secure auth, this
| website is halfway there. Add TOTP and Webauthn and they're
| basically done (there's plenty of good libraries out there
| for both).
|
| They also really should switch from bcrypt to something more
| modern like argon2, but bcrypt is a lot better than the
| unsalted MD5 I've seen in a lot of places.
| ISL wrote:
| Do we know that they haven't implemented another 2FA mechanism
| behind that email/password?
| cmeacham98 wrote:
| It takes all of 30 seconds to sign up an account and check. I
| was not offered 2FA during sign up, and cannot find anywhere
| on the site to enable it after logging in. If you don't
| believe me or think that I somehow missed it, feel free to
| create your own account and test.
| andrepd wrote:
| Shit, I had no idea Google had a monopoly on 2fa! That's
| terrible.
| esrauch wrote:
| They don't, but this website doesn't have it, right?
| tagawa wrote:
| Aside from the privacy improvement, what a beautifully functional
| site.
| flas9sd wrote:
| indeed, the about page also is not your usual legal boilerplate
| either
| Crono wrote:
| The developer made a nice article on how he did it with almost
| none javascript. Interesting read: https://javascript.works-
| hub.com/learn/a-javascript-free-fro...
| jgalt212 wrote:
| How many sites are out there with a "Sign In with Google" form
| that solely exists to harvest peoples' Google credentials?
| HaZeust wrote:
| That's not how OAuth works, which is what "Sign In with Google"
| utilizes. In order to Sign In with Google through a third-party
| software, Google and the third-party software must both agree
| to the arrangement.
|
| In the event they do, the third-party software adds a Google
| Sign In flow to their software, whereas their users can press a
| call-to-action for signing in with Google, which would trigger
| an opening of a separate Google-owned domain in a new min-
| browser window that the third-party software cannot access (and
| therefore not harvest information from). This min-window then
| sends the user back to the third-party software domain upon
| completion with an authentication token - which could be in the
| form of a URL query string, an HTTP method, a cookie, or even
| collection of arbitrary browser information for fingerprinting.
| The third-party site then sends that authentication token back
| to Google via their API, and Google sends back ONLY what that
| authentication token is permitted to grant access to - which
| would not be Google credentials.
___________________________________________________________________
(page generated 2022-12-10 23:00 UTC)