Category: web

  • Web Cookies Explained

    The StopBadware Project and the Berkman Center (disclaimer: I’m affiliated with both) just announced the winner of the “Cookie Crumbles” video contest to help explain web cookies to the world: Clayton Miller. Here’s his video: It is 99% correct, and for a 1.5 minute film, that’s quite impressive. Good video to share with friends and […]

  • Open(Social) Will Win ; and now Privacy?

    If you’re hooked into the social networking world, you know about Facebook and the Facebook platform, which lets developers create all sorts of applications that make use of your Facebook social network in interesting ways. Flixster, for example, lets you share and compare your movie tastes with your existing Facebook friends. No need to reconnect […]

  • The State of Badware

    I’m an advisor to Harvard Law’s Berkman Center, where I work specifically with StopBadware, a group of talented folks who are helping to identify and report on software that does bad stuff to your computer. Malware, spyware, adware, badware, whatever you want to call it, the issue is control and notice: do you control your […]

  • The Password Anti-Pattern and the Login Redirection Anti-Pattern

    A few weeks ago, I wrote about about how web sites that manage your data should be more open in order to better protect you. Not so surprisingly, I’m not the only one thinking about this issue. Jeremy Keith has a fantastic detailed write-up regarding what he calls the “password anti-pattern.” It gets at the […]

  • The Web is the Platform, Part 2

    So the iPhone is selling like crazy and web 2.0 developers are jumping on the bandwagon with iphone hacking sessions, an IRC channel, a mailing list, and some really neat tricks to squeeze unexpected features out of the Safari web browser. Apple has set up developer tech talks to fuel the movement. There’s also a […]

  • Facebook Platform: bad login practices, OpenID doesn’t work

    Facebook launched a platform that lets third-party developers add Facebook applications. This is visionary, and it’s very very cool (though I’m not sure it’s the revolution everyone is talking about.) The problem, of course, is authentication. Take a look at the Zoho Facebook application. Zoho is a separate company. They have their own accounts. So […]

  • Get Over It, The Web is the Platform

    I have to be careful sometimes when posting about Apple’s latest stuff, because I am, to a certain degree, what some call an Apple fanboy. I don’t like everything Apple does, but I am certainly receptive to their designs and their approach to consumer technology. I think they generally “get it right” whereas so many […]

  • Web 2.0 Security & Privacy Workshop

    Today, I was at the IEEE Web 2.0 Security & Privacy Workshop, where I presented a short position paper on extending the web browser to enable secure private-data mashups. I started the day not sure what to expect: maybe a day-long complaint about how web 2.0 concepts are insecure and we need to stop and […]

  • Google, the Desktop, and Privacy

    Google just released Google Desktop for Mac, and that got me thinking again about the Google and Privacy issue I wrote about here and here. I said that Microsoft might have an interesting privacy advantage, because your data lives on your computer, and their software doesn’t need to send much info to the mothership. By […]

  • Time to Rethink the Cross-Domain Javascript situation

    Joe Walker worries about Operator Overloading in Javascript. Though I’m not sure I see an immediate attack, I think Joe is worried about the right thing: since cross-domain execution is dependent on whether the file is well-formed according to the Javascript language, and since the Javascript language is changing over time, we’ve got a real […]

  • JSON Safety: It’s about the unwitting servers

    I’ve always thought that the JSON hack was a truly weird happenstance. For those who don’t quite know it, it goes something like this. A web page you download can run limited code inside your browser. For example, it can animate certain transitions when you click, it can sum up the price of your 3 […]

  • Privacy and Social Networks

    I worry a lot about privacy. The first half of this short video about the privacy policy of is great (the second half is a bit too much of a six-degrees-of-separation game to associate with the CIA). What’s particularly interesting is that, when is discussed in the press, there is rarely any […]

  • BeamAuth: Two-Factor Web Authentication with a Bookmark.

    (There’s always a dilemma between “publishing soon” and “polishing for peer review.” This is my first attempt at blog-based collaborative peer-review. Let’s see how it goes!) The Problem Phishing is a serious issue, and it’s only getting worse. Through various means, Alice ends up at a spoofed web site she thinks she recognizes (usually her […]

  • Is that You speaking, or is it just an evil web site?

    Microsoft Vista has speech recognition, so it’s conceivable that a malicious web site could play a sound that orders your computer to delete a file, at which point Windows might respond as if you’d given the order. I don’t blame Microsoft for this one, because it’s really an attack channel I doubt many people had […]

  • 2007: Controlled End-User Web APIs for Private-Data Mashups

    As far as technology goes, 2007 will be about web security. With everyone storing more and more personal data on various web sites, and with the continuing innovation of mash-ups, it’s inevitable. And it won’t be the web security issues of the last few years, either, it will all be about how to do private-data […]

  • Web 2.0 and Security

    For the past few months, I’ve been thinking that security is going to be of paramount importance to web 2.0. The style of programming for web 2.0, the desire to always push the limit of Javascript and to find new and innovative ways to speed up the client/server communication, are bound to result in numerous […]

  • Return of the Cross Domain AJAX

    So I’ve found that the cross-domain AJAX meme just won’t die, with folks writing articles that seem to miss the issue of firewalled content, at least at first (in that article, a reader comment eventually brings it up, though the crux of the article is focused on far less important issues.) Somehow, the point is […]

  • Talks Galore!

    I’ve given far too many talks over the last 2 months. You’d think I wasn’t defending my PhD thesis next month. All of my slides are available under a Creative Commons license, of course: Introduction to Cryptographic Voting, a lecture I gave in Kevin Fu‘s Applied Cryptography class at UMass Amherst. (Kevin was a classmate […]

  • RDFa Web Site Launched

    For about 18 months now, I’ve been chairing the W3C’s Task Force on embedding RDF in HTML. In simpler terms, this means my little group is defining how you can add extra structure to your HTML, so that, if you announce a talk, your contact information, a document license, or any other metadata, a small […]

  • Interoperable Metadata @ WWW20006

    This week, I’m at WWW2006, giving two talks on Interoperable Web Metadata: on Wednesday, at 4pm, for about 20 minutes, focusing on the developer’s view of embedding interoperable metadata in HTML. Location TBD. on Friday at 11am, for about 20 minutes, focusing on the W3C/RDF issues of embedding interoperable metadata in HTML. Location TBD. What […]

  • W3C AC Lightning Talk on Interoperable Metadata

    I’m giving a lightning talk at the W3C AC Meeting in Edinburgh on Sunday, at around 1500 GMT about RDFa for 3 minutes . UPDATE: The slides for the talk are now available online.

  • My Hopeless, Repetitive Talk

    A few weeks ago, I gave a talk on interoperable metadata at the Semantic Technologies conference. I give a number of talks about various technology topics covering web, semantic web, crypto and voting, but this is one of the few times that I actually received formal, written feedback and ratings. Feedback is a fantastically useful […]

  • It’s hard to help people

    So I tried to help the discussion over at Lucas’s blog this week, given my fairly extensive experience with enterprise web apps and security. The reaction was far from positive. Even though my point eventually got across, it was mostly dismissed as inconsequential. Instead, Lucas found a variant of the well known cross-domain attack, and […]

  • Cross Domain AJAX 2

    Lucas has posted an update that confirms the two points I made in my previous post: Safari does not allow cross-site AJAX. (It allows it only when it loads a local file, but that’s a good thing for prototyping.) Cross-site AJAX would be a huge problem for intranet issues. I’m not sure that Lucas’s discovery […]

  • Cross Domain AJAX

    AJAX is all the rage, but it can’t do everything people want it to do. For example, AJAX code from one site can’t access another site. The limitation is related to security… but recently Lucas Carlson set out to debunk cross-domain AJAX security myths. Lucas Carlson does a good job of debunking some of the […]