evan_tech

Previous Entry Share Next Entry
09:31 am, 10 Feb 06

google tokens

I don't intend to correct all the Google misinformation I see out there, but it especially irks me when people's flawed arguments are just as apparent to "outsiders" as it is to me. (Like the result count estimation: y'all were right. Not sure why that's not obvious to anyone else.)

Now I read people flipping out about "Google tokens" and how it's gonna become an SSO system. And I don't know the truth either way, but let's again let y'all look at the facts and make a decision.

Here's a quick presentation of what I've read online (again, I don't know anything about this stuff): The thought is it'd be nice to use your gmail/talk credentials to log into other sites. But you don't want to give your gmail password to random pages. So somebody looked at some packet captures and saw that Talk logs in by sending your username/password over an SSL connection to a login server, gets a token in response, and then uses that token as your credentials with the Talk server. Therefore, they realized, third parties could let you prove your identity by using your token (and checking it against Talk to verify) without requiring your password!

Dear readers: will this work? Would you trust such a system with your data?