2011-07-27

Single sign-on across the web? No thanks.

Since the mid-1990s, large corporations (primarily) have been pushing single-sign-on-everywhere as the solution to all the ills of the world. "No need to remember multiple passwords, just use our authentication system!" Microsoft did it with Passport / Live ID, AOL did it, Facebook is trying to do it, Twitter and LinkedIn let you do it, and Google does it across all their services.

That's a bad idea for a number of reasons. Some of us have different credentials on different services on purpose. When I use services for my current employer, I like to use my work email address; it keeps my accounts clean when I change jobs. When I blog here, I use a non-workplace-specific work email address. When I log on to less serious sites, like YouTube, I use different credentials still. Single sign-on makes this more difficult--the easiest way around it is to dedicate a separate browser for each purpose, and that's not really a good solution. There is some overlap between work-work, work-general, and non-work--I like to have all my bookmarks in one place, for example, and so I have to set up bookmark sync between all my browsers. Sure, it's a good idea to do that anyway so I can have the same bookmarks on all my computers, but it's an extra step I'm forced to take because of single credentials.

I know Google now supports multiple sign-on, but you can't be logged into one service and be entirely logged out of another without logging out of all of them. In many cases I just don't want to be signed on into their services at all--I value my privacy, and I don't want everything I do on all Google sites to be linked to my identity by default. That should be my choice.

The purported convenience of single sign-on is primarily a way for large corporations to gather enormous amounts of very specific tracking information about users, and to collect sign-ups so as to drum up their numbers for shareholders. Microsoft's Passport had over 200 million users as of 2002--but creating a Passport account was an apparently required step for using Windows, so the actual number of active Passport users is likely a lot smaller than that.

I've worked in internet advertising and tracking for a long time and I know what it can do. I don't have a moral problem with it--tracking makes advertising more efficient and allows sites to tailor their experience to each one of their users. But it's getting harder and harder to avoid, and that's what bothers me.

2011-07-12

Don't overload 404 please


Today I clicked on a Google Plus link in my email, which opened a tab in Firefox. I'm logged into Google Plus in Chrome, not Firefox. What did the link do?

404.

It didn't tell me "You need to be logged in to see this page" and prompt me log in. It didn't return 401 or 403. It just said "the server can't find this resource."

That's arguably wrong. The page does exist--I opened it in Chrome without a problem. So unless you're well versed in http status code arcana, a 404 in this case violates the rule of least surprise and feels like a bug.

The existence of a resource at a URI does not depend on the authentication state of the user agent accessing that URI. If a resource exists, but you're not allowed to view it, 404 is arguably not the right way to signify that--use 401, or 302 to a login page.

Sure, you could argue a 401 or 403 tells you too much--it may reveal that the page does exist, which you may want to hide from unauthenticated users, and 404 is appropriate for
[...] when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
In this case, 401 is arguably applicable, so 404 isn't right.

GitHub does the same thing. I hope this doesn't become a trend.