I don’t blog about politics, although sometimes I blog about things that are intertwined with politics. The Palin email hack is one of those things that are fascinating on technical and social levels. Socially, as a libertarian with no party affiliation, I find it interesting to watch the outrage of the normally surveillance happy right wing paired with the non-caring of the normally privacy fanatical left.
Technically a lot of good summaries have been written about how the hack shows the weakness of knowledge based authentication. Mark Diodotti of Burton has particularly well written piece about it here. But there are several aspects of this that haven’t, so far as I am aware, been brought up.
First, this is usually described as a hack into Palin’s email account. That is true, but understates the depth of the problem. What was actually hacked was Palin’s Yahoo account which grants access to a number of Yahoo services including email. Another service is OpenID. The hacker would not only have obtained access to Palin’s email, but also every OpenID enabled account for which Palin had used Yahoo as the identity provider. In fairness this is no different that if an IdP password is compromised for SAML or InfoCard (except self-issued cards), but is does point out the down side to federation.
Second, the vulnerability was not in the primary means of authentication (password), but in the secondary means of authentication (forgot password). The lesson here is that security is chain that is only as strong as its weakest link. If the secondary means of authentication was made stronger you might still need to worry about the tertiary means, which in many systems involves calling a support number and convincing them you are the right person. In many cases that’s not a terribly difficult process if you have enough personal information about someone.
Third, security has to match expected use. That is really the story here. I have a Yahoo email account, but there is no reason to expect anyone to attempt to compromise using the same methods because there is no value to it. Security not through obscurity but lack of motivation. Palin elevated the value of hacking Yahoo by using it for official business (or at least appearing to). That’s not so say she wouldn’t have been a target, like many celebrities are, even if she had only an obviously personal email address, but she unwisely made a very inviting target.
So what are the lessons here?
In federation the security of all the relying parties is only secure as the least secure alternate means of authentication at the identity provider.
As a consumer we must be cautious of elevating the value of an identity provider beyond what is was designed for. This can happen because of social factors (as in Palin’s case) or by using it as a federated identity provider for a higher value relying party.