Securing a web-site: Which path to take?
This thread may ultimately lead to one, or more, of the other coding forums.
However, with around 340,000 posts, this forum is as good a place to start the thread. :)
It's December 2012, and there is turmoil in the 'web security world'.
We have the lead editor of Oauth 2.0 withdrawing from the project, and lambasting the resulting security protocol/framework.
Further.... that lambasting seems to include OpenID, AND, he wasn't that complimentary about Oauth 1.0 ........... apparently 'the handling of signatures is an issue' (though fixable).
We also have Mozilla Persona launching in Beta, effectively usable, referencing Mozilla stored js libraries.
I think anybody considering Oauth 2.0 must read & view:
(note the link does not work due to Erin Hammers use of a play on words beginning with an 'f' and ending with a 'k'. Either way, you can find it in his recent posts, or modify the above link accordingly :) )
The latter is a webinar that I can definitely recommend.
It was compulsive viewing - highlighting some of the in-built security weaknesses of the protocol/framework.
I don't have a list of all the major enterprises that use it, but I do know that Google require it for some (but not all) of their API's.
I guess, if you have to use it, then according to Erin Hammer, you really need to be a security expert (but you'll still have to use it - it isn't necessary for me).
As mentioned in the opening remarks..... there are some issues of concern (that Oauth 2.0 was meant to address), however, it is apparently usable, and there is a guide to it:
I haven't spent time, as yet, studying this info, primarily because I'm looking for direction on the best path to take, and there is Mozilla Persona as 'the new kid on the block' to consider.
Here is the site:
The doc Why Persona is worth reading, to get an overview, but it fails to provide all the information that an overview should contain.
Apparently the password encoding is done within the browser, ensuring that the web site need only handle email addresses.
This sounds great, but, does this provide an exclusive session - only one person/pc logged in on a given email?
Also, can multiple PC's and their multiple browsers, carry the the same encrypted code for a single email address (say in a family or small biz scenario)?
Has Mozilla developed the silver bullet, or is their system only relevant to certain types of web sites?
I presume this is an option, but that is just a presumption.
On top of all the above, there are then the questions as to which direction is best for programming the server side.
I'm completely new to this side of web design.
Ajax, Python, Ruby on Rails, PHP etc.........
How do you know which direction to take?
Perhaps it purely depends on what your web host caters for.
Or perhaps you should choose your web host according to what they cater for.
Clearly I'm lost (in coding :D )
But some of the experienced programmers may well be able eliminate the confusion, and point the way forward.