Securing a web-site: Which path to take?
This thread may ultimately lead to one, or more, of the other coding forums.
However, with around 340,000 posts, this forum is as good a place to start the thread. :)
It's December 2012, and there is turmoil in the 'web security world'.
We have the lead editor of Oauth 2.0 withdrawing from the project, and lambasting the resulting security protocol/framework.
Further.... that lambasting seems to include OpenID, AND, he wasn't that complimentary about Oauth 1.0 ........... apparently 'the handling of signatures is an issue' (though fixable).
We also have Mozilla Persona launching in Beta, effectively usable, referencing Mozilla stored js libraries.
I think anybody considering Oauth 2.0 must read & view:
(note the link does not work due to Erin Hammers use of a play on words beginning with an 'f' and ending with a 'k'. Either way, you can find it in his recent posts, or modify the above link accordingly :) )
The latter is a webinar that I can definitely recommend.
It was compulsive viewing - highlighting some of the in-built security weaknesses of the protocol/framework.
I don't have a list of all the major enterprises that use it, but I do know that Google require it for some (but not all) of their API's.
I guess, if you have to use it, then according to Erin Hammer, you really need to be a security expert (but you'll still have to use it - it isn't necessary for me).
As mentioned in the opening remarks..... there are some issues of concern (that Oauth 2.0 was meant to address), however, it is apparently usable, and there is a guide to it:
I haven't spent time, as yet, studying this info, primarily because I'm looking for direction on the best path to take, and there is Mozilla Persona as 'the new kid on the block' to consider.
Here is the site:
The doc Why Persona is worth reading, to get an overview, but it fails to provide all the information that an overview should contain.
Apparently the password encoding is done within the browser, ensuring that the web site need only handle email addresses.
This sounds great, but, does this provide an exclusive session - only one person/pc logged in on a given email?
Also, can multiple PC's and their multiple browsers, carry the the same encrypted code for a single email address (say in a family or small biz scenario)?
Has Mozilla developed the silver bullet, or is their system only relevant to certain types of web sites?
I presume this is an option, but that is just a presumption.
On top of all the above, there are then the questions as to which direction is best for programming the server side.
I'm completely new to this side of web design.
Ajax, Python, Ruby on Rails, PHP etc.........
How do you know which direction to take?
Perhaps it purely depends on what your web host caters for.
Or perhaps you should choose your web host according to what they cater for.
Clearly I'm lost (in coding :D )
But some of the experienced programmers may well be able eliminate the confusion, and point the way forward.
no system is perfect, and options add complexity.
if Oauth 2.0 is soo bad, why would big-name players on the web use it?
and if there is a flaw, Oauth 2.1 or Oauth 3.0 would likely fix it.
i think it's a lot riskier to roll your own security than use an established system, especially if you are just starting out.
Having said that..... I honestly don't know.
It's a new area for me, but surely this is entirely relevant to coding forums?
He specifically states that the reason for its failures was down to the big-name players.
Also another lead player then withdrew their name.
I'm presuming these guys must know what they're talking about - Hammer does outline his case.
For me.... hey.... I'm just listening in and thinking that maybe I should be looking at the Mozilla system.
But the whole point is that I don't know, and I reckon that most people don't know either.
On the issue of diy..... I only included it as an option, simply to cover the list.
I think that the future for secure login could well be Mozilla Persona.
My only concern is that, like Open ID, & Oauth; it will not be targeted at the very people who:
need it the most,None of the three (Open ID, 0auth, Persona) show up in search results for
Login scriptYet the results pages are awash with login script tutorials.... many of which are well out of date, referring to now discredited/replaced standards.
And even if any of them were top notch..... read this and weep:
Anybody thinking of writing a login script from a web tutorial, really needs to read it.
But if there is no decisive effort to get Persona into the search results; sadly the vast majority of new site devs will continue in that same manner.
I joined the Persona community, and have raised this issue, along with my concern that the script offerings could be better packaged to help the less experienced site devs etc.
The community posts are displayed publicly.
Here are the points I raise and the ideas offered:
Perhaps you'll agree with some of my points, or none.
This is a community based project that could benefit every one of us, so have a look and check out their site:
In January, I'm going to start trying to integrate their scripts to enable Persona on my site.
We will see how easy it is then.
|All times are GMT +1. The time now is 08:47 AM.|
Powered by vBulletin®
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.