Comments for Don Park's Daily Habit

Comment on OAuth Alternative for Twitter by andrewluetgers

andrewluetgers — Sun, 21 Aug 2011 19:05:53 +0000

Ive been trying to wrap my head around OAuth and have communicated with Eran Hammer-Lahav who is a key contributor to OAuth and yet i feel no more secure for his responses http://hueniverse.com/questions/#comment-34601. To be more specific I’m speaking of oAuth, in any incarnation (1.0, 1.0a, 2.0), when applied to anything that is not a web server. iPhone, Android and desktop apps as well as stand alone web apps (off line html, js, css) and browser plugins all suffer from the problem of exposing their client key and “secret” in some cases in plain text, in other cases it can be retrieved easily enough by decompiling the distributed binary files. Its my belief that to be honest with ourselves we need to recognize the client key and “secret” are public information in these configurations. A simple question for you: is it a problem for the client key and secret to be public? I think the answer is clearly yes.

I believe this issue leaves OAuth susceptible to phishing style attacks where an evil app masquerades as a trusted app. This problem does not exist if the third party app is a web site because the client key and secret are kept hidden on the server. Also in the case of a browser we have the built in ssl certificate information we can check and the url of course. In the big world outside the browser we have no such assurances. Furthermore native apps that kick a user out to a browser session are not secure either because they can mimic the appearance of a browser or simply pull strings behind the scenes to log keystrokes. Nick (sorry i don’t have his last name) has done some excellent work pointing out this risk http://nicksnettravels.builttoroam.com/post/2011/03/26/Hack-OAuth-security-flaw-for-Windows-Phone-7-iPhone-and-other-Mobile-platforms.aspx

Do you agree there is actually a risk of evil apps using trusted app client keys and secrets to steal data they otherwise would not have had access to or do i misunderstand the spec?

I have been working on a variant of PAuth to try to mitigate this risk that also solves some of the user experience issues others have cited. Id love to discuss more if you’d like pleas email me.

Thanks so much!

Comment on Smiley Profile Image Set by wholesale oil painting

wholesale oil painting — Fri, 12 Aug 2011 00:43:48 +0000

there’s no doubt that which will,There’s no doubt which your escalating desire created the rise in costs.

Comment on Google App Engine Launcher Options by Mauvis Ledford

Mauvis Ledford — Fri, 05 Aug 2011 21:58:35 +0000

Just a note, to get the iPhone to connect to my local machine I had to do these settings:

–address=0.0.0.0 -a localhost

Thanks for the tips!

Comment on What is Identicon? by donpark

donpark — Sat, 30 Jul 2011 19:29:19 +0000

Limit of possible combination depends on the chosen visual presentation method. Infinite visuals are possible but practicality must be considered. However, I think focus on possible combination is misplaced because the goal is to ‘recognize or distinguish’ which does not require global uniqueness but only sufficient uniqueness within application context.

For example, first implementation of Identicon used IP address which is neither unique nor persistent but reasonably unique and persistent within the temporal context of comment-based conversation over a blog post.

Comment on Identicon and QR Code by bob

bob — Sat, 30 Jul 2011 14:24:40 +0000

Welcome back!

Comment on What is Identicon? by Josh Davis

Josh Davis — Sat, 30 Jul 2011 05:32:57 +0000

This is great Don. You make a good point about the visual here as well as in the Identicon/QR post. I especially think it’s interesting that the mathematics determine the visual. There is a vast amount of possible combinations visually for the 9 blocks, but that amount must be finite, correct?

If there are ~16.7 million possible RGB color values times however many different options there are for each of the nine blocks, we’re talking hundreds of trillions of possible Identicons, right?

Comment on HTML5 Microdata Fantasy by none

none — Fri, 29 Jul 2011 17:33:11 +0000

“There are lots of wholes in this sketch which is why it’s a fantasy.”
I first read that as “There are lots of whores in this sketch which is why it’s a fantasy.”

Which didn’t make sense in the context (but makes sense otherwise). I then realised you meant “There are lots of holes in this sketch which is why it’s a fantasy.”

Curse that double-you!

Comment on Using JSP with Jersey JAX-RS Implementation by Tomek

Tomek — Tue, 26 Jul 2011 09:02:53 +0000

You saved my day. I’ve been looking for this for a couple of days now.

Comment on Using JSP with Jersey JAX-RS Implementation by Art

Art — Wed, 08 Jun 2011 02:03:12 +0000

Great info, jsp finally works with jax for me.

Comment on Using JSP with Jersey JAX-RS Implementation by Gianluca Orlando

Gianluca Orlando — Wed, 09 Mar 2011 17:43:29 +0000

Sorry but this not working for me

I got this exception

javax.servlet.ServletException: non-HTTP request or response
com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:770)

I’m working to solve this problem