Trusting Google Authentication


In an earlier entry, I said

With no fanfare at all, Google has created a universal login for anyone who wants to use it.
From Phil Windley's Technometria | Using Google's Universal Authentication Engine
Referenced Tue Mar 21 2006 08:22:50 GMT-0700 (MST)

Well, not quite. I had a couple of my students, Devlin Daley and Harsh Nagaonkar spend a little time playing with it. As presently constituted, the token you get back is long lived and replayable. It's better than giving a third party site your password, but not much. Anyone with your token can use it to log in as you. We still have a lot of questions about what the token is for.

Joga Google Login
Joga Google Login
(click to enlarge)

Today, however, I ran across Joga, a site that is apparently a joint effort by Nike and Google. I say apparently because there's no way to verify that claim.1 Notice that the page contains a login box from Google that knows who I am. This is done in an iframe from Google (I've wrapped and truncated this in places for formatting purposes):

<iframe style='WIDTH:276px; HEIGHT:164px' 
    marginwidth='0' align='center' marginheight='0' 
    scrolling='no' id='liframe' frameborder='0' 
    src='https://www.google.com/accounts/ServiceLoginBox?
          service=orkut&nui=0&skipvpage=true&
          continue=http%3A%2F%2Fwww.joga.com%2FRedirLogin.aspx...
          followup=http%3A%2F%2Fwww.joga.com%2FGLogin.aspx&
          hl=en-US'>
</iframe>

This uses the continue feature in the Google authentication engine. We've played with that it it appears to only work for pre-approved URLs.

This brings up an interesting trust issue. Having dissected this, I'd be willing to type in my password, because I know it will be sent to Google via HTTPS, but how does my Mom know that? There's no good trust mark that can be given that can't be reproduced. The fact that they have my login ID is an indication that Google read cookies from my browser (that other sites don't have access to), but my Google ID isn't exactly secret.

This is just one more data point in the trajectory of Google's march to being an Internet platform. Of course, Yahoo!, Excite, and others have had portal-wide authentication for years. I guess why this interests me is that Google seems to be approaching it in a more decentralized way. Applying their authentication to sites like Joga is just one more example.


1. Actually, you can go to https://www.joga.com and see that they are using a certificate for www.orkut.com issued to Google. This is, of course, even more confusing to the uninitiated since using HTTPS with Joga tells you the cert was issued to someone else and asks you if you want to continue.