Online accountability and the threat of impersonation

Tim O’Reilly has distilled the lessons of the Kathy Sierra affair, and Tim Bray further distills them into a single dictum: “You’re accountable for what appears on your Web site.” He elaborates:

if a Web site is yours, you are ethically and perhaps legally responsible for what’s there, whoever wrote it. This is reality; deal with it.

Agreed. I’ve always believed that, which is why for over a decade I’ve advocated cryptographically strong ways to assert online identity. So long as we depend on authentication by name and password, we are frighteningly vulnerable to impersonators who could irreparably damage our online reputations.

Let’s not lose sight of the message that Doc Searls received from Alan Herrell, who says in part:

Just about every online account that i have has been compromised. Most importantly my digital identity and user/password for typepad and wordpress.

The Kathy Sierra mess is horrific. I am not who ever used my identity and my picture!!

I’ve never read Alan Herrell’s now-discontinued blog, and know nothing about his involvement in this whole affair, but the fact is that we’re all vulnerable to the kind of impersonation that Alan Herrell describes.

There’s no perfect defense. But if I had to use cryptographically strong multi-factor authentication to log into my blog publishing system, and if I also had to digitally sign every one of my entries, I’d be far less vulnerable to malicious impersonation.

As we project more of our personal and professional identities into the Net, we create new demands for supporting infrastructure, and thus new opportunities for commercial services. To the extent that you are your website, you will need — and will pay for — a website that’s as secure, as reliable, and as persistent as you can afford to make it.

Update: I’ve just learned that the anonymous sploggers who run biginternetmall convinced someone that this anonymous ripoff of this item of mine was a legitimate posting. Yet another facet of the same issue.

10 Comments

  1. I’m probably as big a fan of cryptographic strong authentication as anyone — 14 years in and around the Lotus Notes world does that to you, I guess. But bear in mind that with all the hassles that it brings, cryptographic authentication is still only as strong as the two weakest links in the chain. The first weak link is the operator of the certificate authority, who may not always properly verify identity before issuing a certificate — or perhaps more to the point, may not be able to verify identity properly because the user community as a whole doesn’t really trust them enough to be willing to provide sufficient identifying information. And the second weak link is of course the users themselves, who may compromise their own digital credentials in the name of convenience — and those years in the Lotus world tell me that this happens far too often, no matter how much you try to educate your users about not sharing their id files and passwords.

  2. “cryptographic authentication is still only as strong as the two weakest links in the chain.”

    Agreed, and you’re right to note that people are the weaker of those two. To those of us who’ve watched all this evolve, it seems like it’s taken a long time, and it has, but we’re still in the early innings.

  3. But if I had to use cryptographically strong multi-factor authentication to log into my blog publishing system, and if I also had to digitally sign every one of my entries, I’d be far less vulnerable to malicious impersonation.

    But only if your key is known and trusted by the person trying to determine if what they’re reading is really by you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s