Bag of Spoons
Just off the A1(M)

Fri, 29 Aug 2008

MicroID bad for your health?

Slashdot can be prone to scaremongering as much as the tabloids. This article is about someone who has found a way to extract email addresses from MicroID hashes on some sites. The idea of Micro ID is that it allows you to associate a user account on a site with an email address without revealing that address. Then sites like ClaimID can verify that you own a given account, as I have done for several. The idea has been criticised, but I think it is useful in a limited way. It is vulnerable to people working out what the email address was if they know your name and can guess what domain it is on. Not too hard in my case as my email is hosted on my own site that I publish in my account profiles. I'm not too bothered about this account as my email address has been heavily spammed anyway for ages. I suspect it may have been harvested from a key server as those publish all email addresses without obfuscation. I would prefer to share my email address openly so that people can easily contact me, but it seems that is not advisable due to others abusing it. As they already do should I be worried?

It seems that others take this threat more seriously as last.fm and digg have stopped using MicroID. This is a shame. identi.ca have handled it better by giving you an option of whether to have a MicroID on your profile page. Perhaps someone can come up with a more secure protocol that does not reveal private information. This is a complex field in which I am not qualified to dabble. Security and encryption are very easy to get wrong.

Whilst looking into this I found that ClaimID was down. This could be a problem for me as I use them for OpenID on a few sites. I wouldn't use it for anything critical or financial, but it saves me having to come up with passwords for every site. As I let Firefox save my OpenID password I rarely have to enter it. This makes me slightly more secure if some site tries to redirect me to a clone of the log-in screen as that would not have my details.

I've had a GPG public key for years, but have not used it for much. Very few people I know will send me encrypted emails. I keep expecting spammers to start doing that as a way around spam filters. I'm not sure it is a big enough target for them. The only site that has used my public key to verify my identity is Biglumber that deals with that topic anyway.

I'm generally interested in ways that we can publish personal information so that people can use it to contact us, but still protect our privacy. Is there an answer? Perhaps email is too broken to be of use. Closed systems like Facebook allow messages to be sent with options to block those you don't know, but are not open enough for general usage.

[21:09] | [/Internet] | comments (0) | G


About

Categories

Calendar
< August 2008 >
SuMoTuWeThFrSa
      1 2
3 4 5 6 7 8 9
10111213141516
17181920212223
24252627282930
31      

Archives
2009-Jan
2008-Dec
2008-Nov
2008-Oct
2008-Sep
2008-Aug
2008-Jul
2008-Jun
2008-May
2008-Apr
2008-Mar
2008-Feb
2008-Jan
2007-Dec
2007-Nov
2007-Oct
2007-Sep
2007-Aug
2007-Jul
2007-Jun
2007-May
2007-Apr
2007-Mar
2007-Feb
2007-Jan
2006-Dec
2006-Nov
2006-Oct
2006-Sep
2006-Aug
2006-Jul
2006-Jun
2006-May
2006-Apr
2006-Mar
2006-Feb
2006-Jan
2005-Dec
2005-Nov
2005-Oct
2005-Sep
2005-Aug
2005-Jul
2005-Jun
2005-May
2005-Apr
2005-Mar
2005-Feb
2005-Jan
2004-Dec
2004-Nov
2004-Oct
2004-Sep
2004-Aug
2004-Jul
2004-Jun

Blogging
Subscribe if you like
XFN Friendly

Adverts
Linux.org
Get Firefox!
Flying Spaghetti Monster

Hosted at VeloceSystems

My reading
Anathem, by Neal Stephenson
Epic

The Bridge, by Iain Banks
Bargain

Colony, by Rob Grant
Bargain

That's Me In The Corner, by Andrew Collins
Xmas present

Global Village Idiot, by John O'Farrell
News humour

more...