Re: Google signin

On Wed, Jul 12, 2017 at 4:48 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > On Wed, Jul 12, 2017 at 4:16 PM, Greg Stark <stark(at)mit(dot)edu> wrote:
> >> The big question though is whether to still require a community id at
> >> all. If we just let anyone log in via Google and create a placeholder
> >> account on demand if one doesn't exist then you shouldn't have to go
> >> through the "create an account" step at all. And you shouldn't have to
> >> remember a new userid at all.
>
> > The point of the create an account step would be if somebody has a pg
> > account under something(at)somewhere(dot)com and logs in using
> > mygoogle(at)somewhere(dot)com they should at least get a notification before we
> > create the new account. But we should make doing that trivial, as in a
> > pre-filled-out signup form with the info from google/whatever and just a
> > "click here to confirm" box.
>
> I'm wondering about the security implications of this --- would it mean
> that anybody with a google account could, eg, spam our wiki?
>

They already can.

What it basically means is that we trust the flag that Google says "this
email has been verified" vs verifying it ourselves. For gmail accounts it's
basically the same. For non-gmail, we are "outsourcing" the trust decision
to Google.

We'd have to put those accounts through exactly the same cooldown we
currently do for regular setups. Basically the current workflow is:
1. fill out your details, create new account
2. wait for email to arrive
3. click verification link in email
4. wait for cooldown period (5 days IIRC)
5. post spam to wiki

we'd eliminate steps 2 and 3 basically by saying "google has already
verified this".

With the last round of spam we learned that the *spammers* have already
automated steps 2 and 3 through throwaway google accounts. So having those
two steps in there isn't really stopping the spammers, but it is causing
unnecessary inconvenience to "real" users.

> I don't mind reducing barriers to entry when we can, but recent experience
> says that there has to be some barrier :-(
>

Definitely. But unless we want to whitelist email providers (and exclude
google), we already have that problem, and I don't think this is actually
maknig it any worse.

In fact it might make it marginally better because Google might detect
things on their oauth side if these people are doing things on a massive
scale. Though I doubt they (Google) actually track those things enough in
either case.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>