“Import email addresses” Considered Harmful
I’ve posted about this before, regarding Twitter’s signup process, although Facebook’s signup process is probably the most well-known example. Now, I see it on Slideshare. For future reference, when you see this:
Please do this:
I’m sure most of my readers can imagine what a bad idea it is to hand their email password over to a third party. What’s more dangerous is that this functionality might become more common. If every social-networking-site-of-the-week integrates something similar into their signup process (and it is attractive for them), then it will become more natural for users to expect it, making them less likely to question it. Overall, it makes phishing a lot easier, as now you have a wider choice of sites you can mimic, or you can just make up something completely new.
Also, at least in this specific case, the credentials you’re handing over are not going over SSL. Who knows what precautions are being taken on the other side of this web application, where it’s actually signing into your email and harvesting out the information. You might be carefully using GMail only over SSL for your sessions with it, but there’s no guarantee that SlideShare/Twitter/Facebook will be doing the same. There’s also no real assurance that your credentials haven’t been cached or stored in some way.
You may make yourself out to be a bad Internet citizen if you utilize these features, as well. I know of at least one case where a user signed up, the site automatically picked up all of his contacts, and immediately spammed out a referral email to every one of them, including mailing lists. Your friends and other contacts might not like this very much.
I think it’s a bad idea, and I hope that it doesn’t become more widespread trend than it already is.
I had an experience with Plaxo along these lines.
My email to them:
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Subject: lack of SSL
I noticed that the pages you have to import contact information from other sources (specifically for me LinkedIn and GMail) are not
encrypted.
I am not comfortable putting in my password information on a page that isn’t secured by at least 128-bit SSL.
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Their reply:
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Good catch. However, anywhere you place your PW or any type of authentication to Plaxo plus any other sync point are in SSL. When transferring data such as data syncs between LinkedIn or GMail, those are not in SSL. Why? Because they don’t support it. In fact, all sites like Yahoo and Hotmail practice the same method – it’s only when you’re signing in or when changing password (actually, anytime credentials are requested) is when the SSL pages are used. And because we have to work with their sites, we must abide by their protocol.
=-=-=-=-=-=-=-=-=-=-=-=-=-=
What? I use Greasemonkey to force SSL for every single page I view in GMail. I know it’s possible.
Thanks for the comment, soup! I also SSL everything in GMail, so I don’t see why they wouldn’t be able to do the same.
I guess the only way I could see these “import” features really working well would be to compartmentalize: In GMail for example, have a way to allow access only to (approved) contacts, and only with a password or passphrase that’s separate from your main login.
That way you at least have some control over what these sites see/do/reveal once they’re logged into your GMail/etc. account