Friday, April 11, 2008

An argument for the extra dependency of a library

Lately there has been some blogging activity around C# implementations of OpenID that are "so small you can just host the source code as a single class your web site."  This is argued to be a virtue because it keeps your web site from having to add another dependency to it.  I'm glad OpenID is gaining greater traction.  But I disagree with avoiding libraries.  Let me count the ways...

  1. A well-tested library is less likely to have security holes, and security holes tend to be patched and delivered regularly.
  2. A library contributed to over time and by many will likely have more features.
  3. Security fixes can often be applied by dropping in a new version of the library.
  4. If you implement your own version and a security hole exists, you'll never know what security holes you've got until your customer says he's suffered identity theft.
  5. If you ship your web site to others, even if you find and fix security holes in your version they won't get the updates very easily. 
  6. What is the cost of another DLL in your Bin directory?  Let's see... $0.  I don't understand why people hesitate at this step.  Even if you really can't stand the extra DLL, then copying the source code from the open-source library into your web site is always a possibility.  It's not advisable though, since once again integrating security fixes from the library will be more difficult for you, and if you ship the web site off to someone else, they can't just drop in the next version of the library you copied from to get security patches.

OpenID in particular is a difficult protocol to implement only part of and still have it be secure.  Much of what makes it secure is scattered throughout the spec and sections of it cannot be removed without risking also removing a security feature.

In the effort of encouraging a small C# implementation of OpenID, what we have is several web sites, including starter kits, that are adopting a dangerous implementation of OpenID that can be easily hacked so that someone can log into as anyone else without authority.  It's a serious proposition to take on implementing an authentication protocol -- one that must not be taken lightly. 

OpenID is a marvelous protocol and has a lot of promise to reduce the number of logins people have to remember.  But it's very unnerving to see web sites publishing or using these implementations.  What web sites can I trust to log in with my OpenID?  If I log into an insecure site, then someone else can log in as me later and steal my identity and who knows what else that's controlled by that web site.

Please, in the interest of protecting and furthering OpenID adoption and trust in the community, either use a library written by those who understand the OpenID spec thoroughly, or learn it thoroughly yourself before writing your own.

No comments:

Post a Comment