Google’s unified log-in (Gmail/GoogleGroups2)
19 Jul 2004
I just upgraded from Mozilla FireFox 0.8 to 0.9.2, for no other reason than because it was available. A sudden side-effect was that I could not login to Gmail anymore: I got an error 502. It still worked in IE, but FireFox is the browser I use for Gmail. I do unnecessary upgrading, I have multiple browsers, obviously I am not stopped by such a trivial error message.
So I started to read the HTML code of the Gmail login page. It uses an IFRAME for the username/password form and lots of JavaScript, mainly for checking the browser brand/version. An IFRAME? The purpose seems to be to have within any xyz.google.com site the same login form: Google Service Login Box. It always POSTs the form to itself and upon successful login, redirects the user to the right URL. It is currently used for Gmail, the new GoogleGroups2, the Google Web API account, but not for Adsense.
Central authentication services (‘single sign-on’) are a good and a bad idea: they create a single point of failure, but hopefully invite the developers to design their security very thoroughly. Microsoft has Passport. Yahoo has Yahoo Login. The latter uses e.g. the MD5 hashing algorithm in JavaScript to protect its forms.
But Passport is not perfect. And Yahoo has had vulnerabilities. As Bruce Schneier puts it: “Anyone can come up with a security system so clever that he can’t see its flaws.”