Privacy

31250 readers

724 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

[email protected]

Identity provider privacy (lemmy.zip)

submitted 1 month ago by [email protected] to c/[email protected]

9 comments fedilink hide all child comments

Hi folks,

I'm seeing there are multiple services which externalise the task of "identity provider" (e.g. login with Facebook, google or what not).

In my case, I am curious about Tailscale, a VPN service which allows one to chose an identity provider/SSO between Google, Microsoft, Github, Apple and OIDC.

How can I find out what data is actually communicates to the identity provider? Their task should simply be to decide whether I am who I claim to be, nothing more. But I'm guessing there may be some subtleties.

In the case of Tailscale, would the identity provider know where I'm trying to connect? Or more?

Answers and insights much appreciated! The topic does not seem to have much information online.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 22 points 1 month ago (2 children)

The simple answer to SSO is: Just don't.

It has it's place in companies, but there is no good reason for private use, except maybe a little convenience.

On the other hand, you open yourself up of to your data being collected left and right and increase the chance it gets compromised by it being shared.

[–] [email protected] 5 points 1 month ago (1 children)

SSO can be fine, it all depends on how it is implemented. If you run your own OIDS or manage your own FIDO2 keys manually, SSO works great; it means that every time you access an online account, a different challenge/response is sent, but you only have to manage a single account on your end. This means less data to be stolen, and if implemented correctly, a sso-backed login attempt in a new context will require further action, preventing someone from just stealing your cookies/certificates and having full access to all your accounts.

The problem is that so much SSO junk is intentionally mis-implemented to include third parties in the process where there’s no need for them to be. Avoid those where appropriate.

[–] [email protected] 1 points 1 month ago

Ok, fair enough, but at that point you're basically deploying your own password manager which most people would consider a little over the top :D

[–] [email protected] 1 points 1 month ago

The only acceptable use I have seen for myself are trading sites you log in through Steam - since their sole purpose is interacting with your Steam inventory.