Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/dalias/statuses/114094697930682536">Rich Felker (dalias@hachyderm.io)'s status on Monday, 03-Mar-2025 05:22:10 JST</a><a href="https://hachyderm.io/@dalias" title="dalias@hachyderm.io"><img src="https://gnusocial.jp/avatar/40873-48-20221207231635.webp" width="48" height="48" alt="Rich Felker" style="position: absolute; left: 0; top: 0;">Rich Felker</a><div><a href="https://infosec.exchange/@alwayscurious/114094677415445822" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/102210" title="swordgeek@mstdn.ca">Colin B.</a></li><li><a href="https://gnusocial.jp/user/167753" title="alwayscurious@infosec.exchange">Demi Marie Obenour</a></li><li><a href="https://gnusocial.jp/user/315648" title="theearthisapringle@mastodon.social">theearthisapringle</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@alwayscurious">@alwayscurious</a> <a href="https://queer.hacktivis.me/users/lanodan">@lanodan</a> <a href="https://mastodon.social/@theearthisapringle">@theearthisapringle</a> <a href="https://mstdn.ca/@swordgeek">@swordgeek</a> The vast majority of SSO systems I've encountered have bugs making it hard or impossible to login with a privacy conscious configuration. I'm not talking JS disabled, just things like 1p isolate, strong cross site tracker blocking, etc.</p><p>From a UX and privacy ecosystem standpoint, they're far worse than classic per site authentication.</p><p>I understand they sometimes reduce risk of breaches. I see that as lower priority to meeting *user* needs.</p><p>And in a gov post-DOGE context, they also leak information between gov entities (centralised records of who logs in to what) in ways that may be harmful to people's safety.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4661695#notice-9126321">In conversation</a><time datetime="2025-03-03T05:22:10+09:00" title="Monday, 03-Mar-2025 05:22:10 JST">about a month ago</time> <span>from <span><a href="https://hachyderm.io/@dalias/114094697930682536" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@dalias/114094697930682536">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Monday, 03-Mar-2025 05:22:10 JSTRich Felker
in reply to
@alwayscurious @lanodan @theearthisapringle @swordgeek The vast majority of SSO systems I've encountered have bugs making it hard or impossible to login with a privacy conscious configuration. I'm not talking JS disabled, just things like 1p isolate, strong cross site tracker blocking, etc.
From a UX and privacy ecosystem standpoint, they're far worse than classic per site authentication.
I understand they sometimes reduce risk of breaches. I see that as lower priority to meeting *user* needs.
And in a gov post-DOGE context, they also leak information between gov entities (centralised records of who logs in to what) in ways that may be harmful to people's safety.
In conversationabout a month ago from hachyderm.iopermalink

Public

Embed Notice

HTML Code

Corresponding Notice