Comment by endisneigh

4 years ago

> Can you be more specific? How is it easier to sniff out a user using multiple emails vs multiple keys?

If someone made 2109@gmail.com 238@gmail.com 2398@gmail.com you could contact Google, send them the information and potentially block all of them collectively and/or find the person responsible. This would be important if your application has to do with financial activity. How would you do this if someone kept making random private keys?

> I'd argue for logins specifically it's less of an issue in the MetaMask world, as you do not need to expose your private keys for that. You need to expose your password to log into Google.

I'm not understanding you. If you're someone who won't use Google, or a centralized service, then you are capable of hosting your own web server. If you're capable of that an email address + password is superior to blockchain and gives you more control.

If you're not capable of that and are using centralized services for things like email then you lose no more control using their oauth server.

You and author have yet to address failure modes, or the superiority of this compared to email and password.

8 comments

endisneigh

Reply
thebean11  4 years ago

> If someone made 2109@gmail.com 238@gmail.com 2398@gmail.com you could contact Google, send them the information and potentially block all of them collectively and/or find the person responsible.

Citation needed, I very much doubt Google would comply without a search warrant. For financial activity, it depends whether the application requires authentication, or simply funds. For authentication see things like DECO, where you could prove some personal information about yourself without actually revealing that information (SSN for example). Obviously that is piggy backing off of a legacy system; it's up to the application to say what data they need.

> I'm not understanding you. If you're someone who won't use Google, or a centralized service, then you are capable of hosting your own web server. If you're capable of that an email address + password is superior to blockchain and gives you more control.

You are completely wrong that everyone currently using MetaMask is capable of hosting their own web server. Securely hosting a web server is orders of magnitude harder than securely using MetaMask.

I think I did address both failure modes and the benefits. I agree with you that it's not ready to replace email and password, but I don't think the issues are insurmountable either.

  • endisneigh  4 years ago

    > Citation needed, I very much doubt Google would comply without a search warrant. For financial activity, it depends whether the application requires authentication, or simply funds. For authentication see things like DECO, where you could prove some personal information about yourself without actually revealing that information (SSN for example). Obviously that is piggy backing off of a legacy system; it's up to the application to say what data they need.

    There's plenty of evidence out there for this (https://www.jamesmadison.org/the-governments-secret-google-s...). Furthermore Google has a contact to official subpoena them if you want (https://support.google.com/faqs/answer/6151275?hl=en). For mild things you could just report abuse and escalate - https://support.google.com/mail/contact/abuse?hl=en

    Again, you're not answering the question. What does the web administrator do if someone is creating fake accounts using a private key? If you're going to use third party systems you don't need blockchain to begin with.

    > You are completely wrong that everyone currently using MetaMask is capable of hosting their own web server. Securely hosting a web server is orders of magnitude harder than securely using MetaMask.

    You're addressing a claim I didn't make. I'm not sayin everyone using metamask can host their own server, I'm saying someone who isn't using a centralized entity anywhere can do it, by definition. Hosting a web server is trivial in 2022. You can literally setup a server by going to digitalocean.com right now, paying $5, and spinning up a one-click machine. Administrating it at scale is obviously more difficult, but it's trivial to setup a little oAuth server if you want.

    • thebean11  4 years ago

      > There's plenty of evidence out there for this

      You are completely moving the goalposts, I thought we were talking about internet services trying to prevent spam..not government snooping and subpoenas. Are you claiming the government's ability to collect data about you from Google is a good thing? I'm pretty confused.

      > Again, you're not answering the question. What does the web administrator do if someone is creating fake accounts using a private key? If you're going to use third party systems you don't need blockchain to begin with.

      You are not answering the question either, is this web administrator the government? Are they going to serve Google with a subpoena?

      > I'm not sayin everyone using metamask can host their own server, I'm saying someone who isn't using a centralized entity anywhere can do it, by definition.

      Ok fair enough, I'm not saying anybody will be using "no centralized entity anywhere", not totally sure what your point is. Using a centralized entity for A is equivalent to using it for A+B?

      5 replies →