Feedly Forces Its Users To Create Google+ Profiles 251
somegeekynick writes "Feedly users, a lot of whom migrated from the now-defunct Google Reader, are now finding out that they will not be able to login to the service without a Google+ Profile. In a blog post from Edwin Khodabakchian, which was posted almost at the same time the change rolled out, the reason for the change is stated as following Google's own move from using OAuth to Google+ for authentication. What has riled up a lot of users, as can be read in the comments, is that this change has come without warning and a lot of feeds are now being 'held hostage' by Feedly, especially for users who are reluctant to create Google+ Profiles."
rs (Score:2, Informative)
The main Google Reader replacement.
Re:What the fuck is a "Feedly"? (Score:5, Informative)
More importantly, this is a non-news story since they have since rolled back those changes.
Re:What the fuck is a "Feedly"? (Score:2, Informative)
Death by a thousand cuts. They'll do it again. This is all part of an apparently huge push to force g+ on people.
Gmail recently started requiring access to plus.google.com in order to login. Some of us block access to social networks.You must now regularly few (sometimes more than once a week) a g+ nag screen.
I am migrating my dozen+ accounts from gmail. Thanks for the push, google!
Find a better Google Reader replacement... (Score:4, Informative)
Feedly's login policy was what forced me to use Inoreader (www.inoreader.com), the only reader I was aware of that provided a standalone login. And boy am I happier for it. Light, fast and simple yet also feature rich. Just like the Google reader I used to know and love....
Re:NEVER roll your own authentication. (Score:5, Informative)
Software developer should NEVER try to roll their own authentication, just like they shouldn't try to roll their own encryption.
Security is the domain of PROFESSIONALS and EXPERTS only. Your average softdev should NEVER EVER EVER try to roll their own authentication.
It's better to use existing software written by PROFESSIONALS and EXPERTS. Like OpenSSH. That's what everybody should use for authentication.
Wow. How wrong could this be? Let me count the ways...
Nah. I have better things to do. I'll just say that a "real" developer uses tools developed by others to "roll their own" authentication. Nobody said you should to invent your own hashing algorithm or anything. Just follow recommended practices, use a known-to-be decent hash method, and be sure to salt.
It ain't rocket science.
Re:What is the issue with creating a Google+ accou (Score:5, Informative)
What is the issue with creating a Google+ account?
The issue is that using "John Doe" as your name when it is not your name is in violation of their Names Policy [google.com], you are subject to having the account suspended or canceled. [google.com]
This is so much bullshit on so many levels. Using a real-life and permanent name in conjunction with social networking activity is, in my opinion, extremely stupid. Making this a requirement for participation is frightening.
G+ has taken some steps in the right direction [eff.org], but IMO this has been more talk and less action than is necessary and their behavior with forcing G+ membership for Google store/youtube comments is abhorant.
Preserving anonymity, pseudonyms, and online identity separate from 'real life", insofar as is possible, is essential to a healthy Internet.
AC
Re:All your accounts are belong to us. (Score:5, Informative)
Try this:
https://www.startpage.com/ [startpage.com]
It uses google, but even google don't know who you are when you go through these guys :)
tt-rss is highly recommended (Score:5, Informative)
I highly recommend setting up the free tt-rss service [tt-rss.org]. There's also a nice mobile client.
Re:rs (Score:5, Informative)
The main, crappy replacement. The real replacement is Newsblur.
Google account != Google+ profile (Score:4, Informative)
Use Google to search for an alternative you can use on your Android phone
So what handheld computer should I use if I want to write my own software but don't want Google
If you have an android phone/a youtube account/ or a gmail address you have a g+ account.
No, you have a Google account. Google is requiring certain users who already have a Google account to add a Google+ profile to their Google account and associate all activity on their Google account with their Google+ profile.
Re:NEVER roll your own authentication. (Score:4, Informative)
Software developer should NEVER try to roll their own authentication, just like they shouldn't try to roll their own encryption.
No. Authentication is far easier to understand. Proof of knowledge is simple to perform, and is new authentication protocols can be built from the cryptographic primitives with ease. I'm certain you have no knowledge in this area, if you had some experience creating authentication systems you would know the same advice for ciphers does not apply to authentication. It's true
Furthemore, today we lack a widely adopted authentication standard that provides revocation, and optional anonymity. There current major competing authentication standards are all laughable due to their reliance on the broken SSL trust graph. Firefox - settings - Advanced - Certificates - View Certificates - Hong Kong Post & CNNIC. These are root certificates that can be used by the Chineese government to create a "valid" cert for Google.com or Yourbank.com without those domain's permission. Together with an unsigned DNS root infrastructure the entire security system of the web is completely and utterly a security theater. Your route passes through there servers and you've still got a big green bar saying yourbank.com is secure when you've been MITM'd by the Chinese, Russians, Iran, Turkey, etc. Folks we are actively at "cyber war" with. I say this to illustrate the FACT: You MUST write your own authentication system, because EVERYONE ELSE who we thought COULD be trusted SHOULD NOT BE TRUSTED; They're all worse than morons, they've PURPOSEFULLY built a fucked up system.
HTTP AUTH already exists and is supported in every web browser. Since it asks for authentication before displaying any content it is the right direction (unlike EVERY OTHER AUTHENTICATION). However HTTP-AUTH is clunky and most redardedly HTTP and TLS do not know about each other so the nonce you send as proof of knowledge in the clear which could instead be used to key your TLS/SSL stream cipher DOES NOT do so.
All the well used existing authentication standards are fucking jokes. OAuth? Don't make me laugh: It's the best way to phish passwords EVER! Just make, say, a google or facebook login logo and have it redirect to a page that is not google or facebook to collect their password. Sure 2 factor exists, but it's not commonly used and even it has gaping huge holes.
So, what we need are PRE-REQUEST authentication systems. A browser plugin that detects you're about to visit a secured site (perhaps from its database of prior authentications) then it pops up the browser password dialog NOT ON THE PAGE and perform the secure handshake providing proof of knowledge of a key and another nonce to hash with you password [or HMAC(domain, pw) ] to generate a session cipher key and then immediately begin send encrypted data back and forth without any PKI bullshit needed at all since the endpoints already have a pre-shared secret with which to generate a session secret. The ONLY time you need Public Key crypto is when you register an account and establish the pre-shared key. That window is so small, and impractical since the shared key is not useful unless a permanently maintained MITM attack is performed on every connection attempt that it makes PKI hierarchy essentially moot (esp: considering that PKI is useless due to aforementioned explicit trust of enemy actors as roots).
Your advice to not create your own authentication system is the absolute WORSE advice you can possibly give since ALL prominent authentication standards are complete and utter rubbish. You at least have a CHANCE of creating something more secure than the blatant SECURITY THEATER that is everything else.
To be perfectly clear, this is infinitely better than everything else: Browser plugin asks for master password; For any domain, Domain GUID = HMAC( userID, domain ), HMAC( HMAC( Master PW + Salt ), domain + nonce ) = session cipher key; Send Domain GUID, nonce, and your encrypted data to the server.
Re:All your accounts are belong to us. (Score:5, Informative)
Because I want to at least *feel* like I have SOME sort of control over what I do online and where my personal effects end up?
Then you should like the G+/YouTube integration because now you can make YouTube comments that are not public. Pick the people/circles you want to share your comment with and only those people will be able to see your comment on the video. Yes, for this to work they have to have Google+ accounts, too, or they will be part of "the public" and be unable to see what you wrote.
I'm not sure if the video owner can see comments that are shared privately. I suspect not.
Anyway, if it's control you're looking for, this change gives you control that you didn't previously have.
(Disclaimer: I'm a Google engineer, but I don't work on YouTube or Google+. My only real knowledge of them is as a (satisfied) user.)