Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Nov 2012
    Location
    France
    Posts
    78
    Thanks
    20
    Thanked 0 Times in 0 Posts

    Securing a web-site: Which path to take?

    This thread may ultimately lead to one, or more, of the other coding forums.
    However, with around 340,000 posts, this forum is as good a place to start the thread.

    It's December 2012, and there is turmoil in the 'web security world'.

    We have the lead editor of Oauth 2.0 withdrawing from the project, and lambasting the resulting security protocol/framework.

    Further.... that lambasting seems to include OpenID, AND, he wasn't that complimentary about Oauth 1.0 ........... apparently 'the handling of signatures is an issue' (though fixable).

    We also have Mozilla Persona launching in Beta, effectively usable, referencing Mozilla stored js libraries.



    Oauth 2.0
    I think anybody considering Oauth 2.0 must read & view:

    http://hueniverse.com/2012/07/oauth-...-road-to-hell/
    http://hueniverse.com/2012/11/****oauth-realtimeconf/
    (note the link does not work due to Erin Hammers use of a play on words beginning with an 'f' and ending with a 'k'. Either way, you can find it in his recent posts, or modify the above link accordingly )

    The latter is a webinar that I can definitely recommend.
    It was compulsive viewing - highlighting some of the in-built security weaknesses of the protocol/framework.

    I don't have a list of all the major enterprises that use it, but I do know that Google require it for some (but not all) of their API's.

    I guess, if you have to use it, then according to Erin Hammer, you really need to be a security expert (but you'll still have to use it - it isn't necessary for me).

    Oauth 1.0
    As mentioned in the opening remarks..... there are some issues of concern (that Oauth 2.0 was meant to address), however, it is apparently usable, and there is a guide to it:

    http://hueniverse.com/oauth/guide/

    I haven't spent time, as yet, studying this info, primarily because I'm looking for direction on the best path to take, and there is Mozilla Persona as 'the new kid on the block' to consider.

    Mozilla Persona
    Here is the site:

    https://developer.mozilla.org/en-US/docs/Persona

    The doc Why Persona is worth reading, to get an overview, but it fails to provide all the information that an overview should contain.

    Apparently the password encoding is done within the browser, ensuring that the web site need only handle email addresses.

    This sounds great, but, does this provide an exclusive session - only one person/pc logged in on a given email?
    Also, can multiple PC's and their multiple browsers, carry the the same encrypted code for a single email address (say in a family or small biz scenario)?

    Has Mozilla developed the silver bullet, or is their system only relevant to certain types of web sites?

    DIY Security
    I presume this is an option, but that is just a presumption.
    ---------

    On top of all the above, there are then the questions as to which direction is best for programming the server side.

    I'm completely new to this side of web design.
    Ajax, Python, Ruby on Rails, PHP etc.........

    How do you know which direction to take?
    Perhaps it purely depends on what your web host caters for.
    Or perhaps you should choose your web host according to what they cater for.

    Clearly I'm lost (in coding )

    But some of the experienced programmers may well be able eliminate the confusion, and point the way forward.


  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,158
    Thanks
    203
    Thanked 2,548 Times in 2,526 Posts
    Sorry, I don't see what this has to do with Javascript.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • #3
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,401
    Thanks
    11
    Thanked 595 Times in 575 Posts
    no system is perfect, and options add complexity.

    if Oauth 2.0 is soo bad, why would big-name players on the web use it?
    and if there is a flaw, Oauth 2.1 or Oauth 3.0 would likely fix it.

    i think it's a lot riskier to roll your own security than use an established system, especially if you are just starting out.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.6, IE11:9.1, IE9:3.1, IE10:3.0, FF:17.2, CH:46, SF:11.4, NON-MOUSE:38%

  • #4
    New Coder
    Join Date
    Nov 2012
    Location
    France
    Posts
    78
    Thanks
    20
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Philip M View Post
    Sorry, I don't see what this has to do with Javascript.
    Well I guess that the java script on the web site must communicate securely with the server side.
    Having said that..... I honestly don't know.
    It's a new area for me, but surely this is entirely relevant to coding forums?

    Quote Originally Posted by rnd me View Post
    if Oauth 2.0 is soo bad, why would big-name players on the web use it?
    and if there is a flaw, Oauth 2.1 or Oauth 3.0 would likely fix it.

    i think it's a lot riskier to roll your own security than use an established system, especially if you are just starting out.
    On this, I was really following the lead editor of the project, who withdrew his support for the reasons that he states.
    He specifically states that the reason for its failures was down to the big-name players.

    Also another lead player then withdrew their name.
    I'm presuming these guys must know what they're talking about - Hammer does outline his case.

    For me.... hey.... I'm just listening in and thinking that maybe I should be looking at the Mozilla system.
    But the whole point is that I don't know, and I reckon that most people don't know either.

    On the issue of diy..... I only included it as an option, simply to cover the list.

  • #5
    New Coder
    Join Date
    Nov 2012
    Location
    France
    Posts
    78
    Thanks
    20
    Thanked 0 Times in 0 Posts
    I think that the future for secure login could well be Mozilla Persona.

    My only concern is that, like Open ID, & Oauth; it will not be targeted at the very people who:
    need it the most,
    are most likely to build an insecure site,
    and who are actively looking for a login solution.

    None of the three (Open ID, 0auth, Persona) show up in search results for

    Login script
    secure login script
    secure login system

    Yet the results pages are awash with login script tutorials.... many of which are well out of date, referring to now discredited/replaced standards.

    And even if any of them were top notch..... read this and weep:

    http://stackoverflow.com/questions/5.../477578#477578

    Anybody thinking of writing a login script from a web tutorial, really needs to read it.
    But if there is no decisive effort to get Persona into the search results; sadly the vast majority of new site devs will continue in that same manner.

    I joined the Persona community, and have raised this issue, along with my concern that the script offerings could be better packaged to help the less experienced site devs etc.

    The community posts are displayed publicly.
    Here are the points I raise and the ideas offered:

    groups.google.com/forum/?fromgroups=#!topic/mozilla.dev.identity/BdcG-kFwYAc

    Perhaps you'll agree with some of my points, or none.
    This is a community based project that could benefit every one of us, so have a look and check out their site:

    https://developer.mozilla.org/en-US/docs/Persona

    In January, I'm going to start trying to integrate their scripts to enable Persona on my site.
    We will see how easy it is then.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •