I just flew into Houston, TX on the red-eye from Seatac and I'm sitting in a starbucks waiting for my flight to Austin, TX so the writing my not be top of the pops but I wanted to rant a little.
---
What bought this on?
I saw a super SCARY STORY about a lame coder who built a nasty application which:
Not only has this developer put his professional career at risk (who would hire this guy?), he also put everyone else's credential pairs at risk - super super bad.
What do I have to say?
As an end-user i.e. not a developer you should NOT enter your windows live id credential pair (i.e. Username: foo@live.com and Password: MyDogIsFido) into a web site which isn't http://login.live.com.
No Microsoft web site will ask you for your Live ID credentials except login.live.com (and accounts.live.com when linking accounts). Any other web site which asks you for your credentials may not be evil.com but they may either be sloppy coders (like our friend above) or could be hacked putting your credentials at risk of being shared.
If you are a developer wanting to try out new things (like see how some social networks have illegally implemented contact importing etc or use hack API wrappers for SkyDrive) which include putting your credentials at risk here are a few tips:
What about Rich Clients (i.e. desktop applications) - I can't use login.live.com?
Desktop applications are a little harder to control, and in the horror story above it was actually an offending client application.
To enable client applications to call Windows Live ID protected services, we developed the Windows Live ID Client SDK space to protect users and make it easy for developers to implement Windows Live ID authentication (and fetch a token for various services).
When your application needs a user to authenticate, a specific UX is rendered. A UX that comes from the Windows Live ID Client SDK - so the developer (good or bad) never sees the credential pair.
Because this UX doesn't have a title bar, sure - it can be spoofed (i.e. you could fake the user experience and actually ask the end-user for their credential pair) - my thoughts are: if you already have a client app running and its evil, they basically own you... although UAC does prevent some of this.
If you aren't running on a supported platform for the Windows Live ID Client SDK there is an end point you can call - post your question to the WLID support forum.
Why don't the Microsoft shipped applications don't use the client SDK UX?
Some of our applications do use the Client SDK but most don't. The reasoning behind this is because the application is clearly identifiable as a Windows Live suite program we have customized the UX on a per product basis. ISV's on Client SDK compatible operating systems (Windows) should use the Client SDK.
Side note about customizable UX: If you have ever installed the Zune management program you will notice they have gone too far with the customization and it doesn't actually ask you for your Windows Live ID, so as a consumer you aren't sure should I be using my Windows Live ID or some other ID - UX customization goes both ways in terms of slick experience for users, and the user recognizing out of familiarity what they should do on this screen.
I know this was a bit of a rant but I'm still sitting in the Starbucks so give me a break.
UPDATE: techCrunch weighed in on this
UPDATE: check out the OpenID
PingBack from http://msdnrss.thecoderblogs.com/2008/03/09/please-take-my-credentials-no-really-take-them-2/
I still se websites asking for passwords in clear text.
Some websites even authenticate users by redirecting to a page with the users credentials as parameters in the URL like auth.tec?username=me&password=whatever
Hi Angus!
I'm currently struggling with bridging the worlds of Client ID Authentication and XmlRpc. I can authenticate users with the Client SDK through the Authenticate() method, and I can post to a space by giving the space name and the secret word, but I understand there is also a way of calling GetTicket() and use the resulting string as authentication when making the XmlRpc Call. Am I right? If so could you shed some light on how to actually pass the string to the XmlRpc call?
(Trying to use the Spaces API to publish a post through a custom Client)
Thank you.
Hi Angus (Again :) )
I Just remembered another little question.
As far as I know the Photos API (CTP) only works with delegated authentication? Does this mean that it cannot be used from stand alone desktop applications using Client ID?
The net is abuzz today about a scam application that is stealing people's G-mail account credentials. Or rather, the app is mis-using those account credentials when people hand them over to the application. Sound familiar? Yes, that's exactly the sort
Since moving to a team that handles the user accounts for everyone who uses any of Microsoft's web property, I've started to take a much more informed look at how I use my own account credentials and which web sites and applications I hand over those
Hi,
I need to implement Delegated Authentication to uplaod photos into Windows Live. But my client is a desktop application. Is there a sample avaible for ref. We've been trying for sometime now..plz don't tell me its not possible!
Thanks
Anshuolee