Benlog

security, privacy, transparency.

Archive for the 'web' Category

an unwarranted bashing of Twitter’s oAuth

Posted: Thursday, September 2nd, 2010 @ 2:31 pm in security, web | View Comments

Ryan Paul over at ArsTechnica claims a compromise of Twitter’s oAuth system, but fails to demonstrate such a compromise. It’s unfortunate, because some of his comments are indeed worthwhile, and there are a few interesting recommendations that Twitter should follow (hah, no pun intended). But what we have here is not a “compromise”, and the [...]

browser extensions = user freedom

Posted: Saturday, June 5th, 2010 @ 8:29 pm in autonomy, privacy, web | View Comments

The web browser has become the universal trusted client. That can be good: users can mostly rely on their browsers to isolate their banking site from the other web sites they visit. It can also be bad for users’ freedom: Facebook can encourage the world to add “Like” buttons everywhere, and suddenly users are being [...]

distributed innovation

Posted: Wednesday, April 21st, 2010 @ 4:58 pm in data, web | View Comments

A few years ago, a small group of folks (Mark Birbeck, Steven Pemberton, Ralph Swick, Shane McCarron, me, and more recently Ivan Herman, Manu Sporny, and a lot of great new folks) started with the simple idea that, if web pages contained a bit of structured data in addition to their haphazard content, we could [...]

The Great Content Lockdown of 2010

Posted: Wednesday, March 31st, 2010 @ 6:43 pm in autonomy, policy, web | View Comments

I had an invigorating and thought-provoking chat with my good friend Oliver Roup today. We agreed that the Apple iPad is going to be an unbelievable success. I’ve thought from day one that it would be huge, but I think it will be bigger than huge. Before the end of the summer, millions of people [...]

Protecting against web history sniffing attacks: an alternative

Posted: Wednesday, March 31st, 2010 @ 11:18 am in security, web | View Comments

When a web site links to another web site, the link appears in a different color, usually a lighter shade of blue, if you’ve already visited the site. Unfortunately, this means that a malicious web site can learn what sites you visit by putting up a few links and checking to see how your browser [...]

It’s a WRAP followup: maybe the goal was client-side certs?

Posted: Wednesday, December 23rd, 2009 @ 2:48 pm in security, web | View Comments

I’m having some interesting offline followup discussions with folks about oAuth WRAP and my relatively negative reaction to it. One of the comments seems to be that SSL will recreate exactly the security that HMAC signatures were trying to achieve, and it was really hard for developers to do oAuth right in the first place. [...]

It’s a WRAP

Posted: Tuesday, December 22nd, 2009 @ 1:58 pm in security, web | View Comments

I’m just finding out about oAuth WRAP, a new, simplified version of oAuth which some are calling the “valet key” approach to web data sharing: don’t give your Facebook password to a random web app, instead use oAuth to mint them a valet key that lets the app access only some specific portions of your [...]

Facebook account hacked

Posted: Wednesday, November 11th, 2009 @ 1:17 am in security, web | View Comments

So this evening my Facebook account was hacked and spam messages were posted to a few dozen friends on my behalf. Thankfully, since I’m friends with a number of security-savvy folks, I was notified almost instantly. Now I’ve never cared too much about my Facebook account, so I used one of my weak passwords. I’m [...]

Stefano thinks I’m a purist…

Posted: Friday, September 25th, 2009 @ 1:16 pm in data, web | View Comments

Stefano Mazzocchi is awesome and his thinking on Web-based data is incredibly nuanced and pragmatic, so it’s not often that I want to publicly disagree with him. But in his latest post, I think he’s off the mark. Stefano argues: The difference between RDFa and Microdata (syntactic differences aside) is basically the fact that the [...]

A Partial Report from Social Network Security 2009 @ Stanford

Posted: Sunday, September 13th, 2009 @ 6:30 pm in privacy, security, web | View Comments

On Friday, I attended Social Network Security 2009 at Stanford. This was a fantastic get-together, with some very interesting info from Facebook, Google, Yahoo, Loopt, and the research front. I have some notes, mostly from the first half of the day, at which point my laptop battery ran out. Time to upgrade to the 7-hour [...]