Page 1 of 16 12311 ... LastLast
Results 1 to 10 of 155

Thread: SSO login general chat thread

Hybrid View

  1. #1
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    SSO login general chat thread

    I've moved all the chat and other stuff from the SSO login sticky to here. This thread is for general discussion about SSO login. Please confine any posts to the sticky to suggestions for amendments/additions to the first post there.

    If you have inadvertently created a duplicate account, or need an admin to deal with a problem with your account related to SSO login, please post in the Resolution Centre, giving the username of your old account.
    Last edited by coffeecat; August 3rd, 2013 at 11:53 AM.
    Ubuntu 16.04 Desktop Guide - Ubuntu 14.04 Desktop Guide - Forum Guide to BBCode - IRC #ubuntuforums

    Member: Not Canonical Team

    Please do not PM me about your forum account unless you have been asked to. The correct place to contact an admin about your account is here.

  2. #2
    Join Date
    Jul 2013
    Beans
    0

    Re: Login now by means of Ubuntu One SSO only

    Okay, I'm not trying to be too critical here, but this seems like a step in the wrong direction security wise. Your forum software got hacked. It happens, and as someone that runs a forum as well, I've had it happen to me before, though on a much smaller scale. The immediate reaction is to try to increase security through any means necessary, and that's the right step; however, tying together our forum logins with our Ubuntu One accounts seems like it has the potential to link together potentially insecure forum software with an account that for many people contains a lot more sensitive information than they would ever have with just a standard forums account.

    Ubuntu One, unless I'm mistaken, potentially has credit card info, private cloud storage files, and a record of purchases that people have made as well. I've personally not used it for any of these things, but I'm sure there are quite a few people who have. If I did have that kind of info stored in there, I'd be gravely concerned about it being linked with a forum that was just compromised, no matter what level of new security was just added to it. That's just me though...

  3. #3
    Join Date
    Sep 2010
    Location
    Beta Testing in Canada
    Beans
    8,146
    Distro
    Ubuntu Development Release

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by BLFLpb3 View Post
    Okay, I'm not trying to be too critical here, but this seems like a step in the wrong direction security wise. Your forum software got hacked. It happens, and as someone that runs a forum as well, I've had it happen to me before, though on a much smaller scale. The immediate reaction is to try to increase security through any means necessary, and that's the right step; however, tying together our forum logins with our Ubuntu One accounts seems like it has the potential to link together potentially insecure forum software with an account that for many people contains a lot more sensitive information than they would ever have with just a standard forums account.

    Ubuntu One, unless I'm mistaken, potentially has credit card info, private cloud storage files, and a record of purchases that people have made as well. I've personally not used it for any of these things, but I'm sure there are quite a few people who have. If I did have that kind of info stored in there, I'd be gravely concerned about it being linked with a forum that was just compromised, no matter what level of new security was just added to it. That's just me though...

    That's an excellent theory , especially if there is a man-in-the middle and, of course, presumming it was an inside job. There are things that IS knows, believes and does not know. Whether or not the hacker or hacker group is lying in wait remains to be seen. However, on a lighter note, the effort that went into vetting the database and subsequent copy was done by personel who were offsite from actual forum admins and moderators. Therefore we have to once again trust the meritocracy philology that current ubuntu forum council members are synchronized and on the same page. It was a wise move to incorporate a secondary tier of security which is SSO. So if there is a hand-off somewhere within the works it will be easily detected.
    This is Rolling Release
    Warnings for New Beta Testers& Helpful Terminal Commands:
    Running 16.04 on Mobo: MSI model: B85-G41 PC Mate(MS-7850) v: 1.0

  4. #4
    Join Date
    Apr 2012
    Beans
    135
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by BLFLpb3 View Post
    however, tying together our forum logins with our Ubuntu One accounts seems like it has the potential to link together potentially insecure forum software with an account that for many people contains a lot more sensitive information than they would ever have with just a standard forums account.
    Yes, that was my thought.

    "Single sign-on" is convenient for users but it violates the very solid security advice not to use security credentials in multiple contexts.

    (Yes, keeping track of literally hundreds of usernames and passwords is a hassle but it does act to limit the damage if one place is compromised. It is my choice to accept that hassle and get higher security.)

    The idea of removing all authentication responsibility from the server on which the forum is hosted is good. That in no way implies that you have to reuse security credentials from another context.

    Let's assume though that the new arrangements are permanent ... how would a user go about fixing this?

    I assume that they would need to create a second Ubuntu One account to replace their existing Ubuntu One account and then move everything over to the second account, keeping the first account only for Ubuntu Forums. Or alternatively, use the second account only for Ubuntu Forums i.e. ditch their Ubuntu Forums profile and become a newb again. LOL.

  5. #5
    Join Date
    Aug 2008
    Beans
    111
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Login now by means of Ubuntu One SSO only

    Will we still be able to do SSO login UbuntuOne is finally gone?

  6. #6

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by cecilieaux View Post
    Will we still be able to do SSO login UbuntuOne is finally gone?
    Yes.

    The shutdown will not affect the Ubuntu One single sign on service, the Ubuntu One payment service, or the backend U1DB database service.
    From - http://blog.canonical.com/2014/04/02...file-services/
    Last edited by s.fox; June 30th, 2014 at 11:31 AM.

  7. #7
    Join Date
    Jul 2013
    Beans
    0

    Re: Login now by means of Ubuntu One SSO only

    Hmm. Just one extra note here: 'BLFLpb3' is very definitely not a nickname I chose anywhere for my account. I'm not sure if that's some kind of randomly generated name that it gave me to protect my identity, or if it's a bug with your login system. In either case, I apparently can't edit it at all because my account is too new.

    The migration process you have setup for people seems very un-intuitive here. Hopefully this doesn't come across at me having too much of an ego here, but I'm pretty certain that if I'm struggling to wade through all this, there's quite a number of other users who are too.

  8. #8
    Join Date
    May 2012
    Beans
    277

    Re: Login now by means of Ubuntu One SSO only

    Actually the move to Ubuntu sso is actually a good move, unlike vbullitin the culprit of the issues that made the foums go down ubuntu one and its sso services are their own thing seperate from most other components.
    Sure its extra steps now but its not that big of a deal.

  9. #9
    Join Date
    Apr 2008
    Location
    LOCATION=/dev/random
    Beans
    5,767
    Distro
    Ubuntu Development Release

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by MadmanRB View Post
    Actually the move to Ubuntu sso is actually a good move, unlike vbullitin the culprit of the issues that made the foums go down ubuntu one and its sso services are their own thing seperate from most other components.
    Sure its extra steps now but its not that big of a deal.
    +1

    By switching to using SSO with Ubuntu One the potential for damage is decreased.

    If the forums are ever hacked again then there is now no password information stored on the forums server at all, not even in hashed form.
    Cheesemill

  10. #10
    Join Date
    Nov 2009
    Location
    Doiminican Republic
    Beans
    24
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Login now by means of Ubuntu One SSO only

    Quote Originally Posted by MadmanRB View Post
    Actually the move to Ubuntu sso is actually a good move, unlike vbullitin the culprit of the issues that made the foums go down ubuntu one and its sso services are their own thing seperate from most other components.
    Sure its extra steps now but its not that big of a deal.
    Very good move. SSO is more secure. And the accounts will be linked.

Page 1 of 16 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •