SlideShare a Scribd company logo

Implimenting Privacy: OAuth and Token Madness

Download as ZIP, PDF
Rabble .
Rabble .

Ever cringe when you're asked to enter your email address and password to a third party service? This talk will cover how to build and consume services which protect users privacy with OAuth and other techniques. Ever cringe when you’re asked to enter your email address and password to a third party service? Even worse when we build systems which collect people’s credentials. It’s the password anti-pattern. Privacy and security are important, but when it comes to real running apps, it works wins over it’s secure. This has two main themes. * How to use tokens and other tricks to protect the privacy of your users. * While examples will be from a ruby on rails application, this talk is more on general web development practices for privacy. There is no totally secure or private system out there, especially when we build social web applications. But there are many things which can be done to improve privacy. For each application you have to look at what the threat model is for leaking personal information. Everything from how your user passwords are stored to what happens if a hacker gets a full dump of your database. * What happens when a user’s email is compromised by a third party service? * How to provide simple sharing with casual privacy. * What is ‘good enough’ crypto. * Understanding the difference between Authorization and Authentication. This talk is based on experience designing and architecting Yahoo! Fire Eagle, a location sharing service which was the first implementation of both OAuth and Ruby on Rails at yahoo.

TechnologyNews & Politics
1 of 100
Implementing Privacy OAuth & Token Madness evan@protest.net
Privacy
Perception of Privacy
The Privacy to Disappear
Extreme Privacy
Privacy and the State
Privacy and the Law
Can you say? source: http://www.crestpublishing.co.za/killthepresident.html
Kill the Cuban president? source: http://flic.kr/p/RfwD
Speech as Property
Privacy & Hackers
Email & Logins
One email per person
Email for Everything
We use email for everything!
Hackers want your email
The Twitter Files
Dear God Why?!?!
Fail
Salvation?
Delegated Token Authorization
Delegated Token Authorization FlickrAuth, Google AuthSub, Yahoo’s BBAuth, Facebook Auth, Amazon AWS, AOL OpenAuth, etc...
Tokens
Like Coins?
Symbols
username password token secret
timoreilly password token secret
timoreilly alphag33ks token secreto
timoreilly alphag33ks SLx39nv4 secreto
timoreilly alphag33ks SLx39nv4 L9vQlviq2x
Cryptographic Signatures
Cryptographic Signatures consumer = Auth::Consumer.new( 'dpf43f3p2l4k3l03', 'kd94hf93k423kf44' ) token = Auth::Token.new( 'nnch734d00sl2jdk', 'pfkkdhi9sl3r4s00' ) signature = Auth::Signature.sign(request, { :consumer => consumer, :token => token, :uri => 'http://photos.example.net/photos' } ) assert_equal 'tR3+Ty81lMeYAr/Fid0kMTYa/WM=', signature
Cryptographic WHAT? TOKEN HASH KEY SECRET
Cryptographic WHAT? TOKEN HASH KEY SECRET signature
Cryptographic WHAT? TOKEN HASH KEY SECRET signature
Cryptographic WHAT? TOKEN HASH KEY SECRET signature sig=aslkdjfalskd
Cryptographic WHAT? TOKEN HASH KEY SECRET signature token=vkzljxc&sig=aslkdjfalskd
Delegated Token Authorization FlickrAuth, Google AuthSub, Yahoo’s BBAuth, Facebook Auth, Amazon AWS, AOL OpenAuth, etc...
Authentication Authorization
Authentication Authorization OpenID OAuth
Authentication Authorization OpenID OAuth Users Applications
Very Simple
Love Triangle end user consumer service application provider
Three Legs end user consumer service application provider
Two Legs consumer service application provider
Buenos Aires, Argentina San Jose, California
Token Dance consumer provider
Token Dance consumer provider requesting the request token
Token Dance consumer provider requesting the request token creates and returns a new request token
Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url
Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth
Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token
Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access
Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access provisional request token traded for access token
Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access provisional request token consumer saves the traded for access token access token for the user
Token Dance web applications desktop applications out of band applications like mobile and embedded
OAuth Params oauth_*
OAuth Params oauth_consumer_key oauth_consumer_secret
OAuth Params oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk"
OAuth Params oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096"
OAuth Params oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tRMTYa%2FWM%3D"
Forms of OAuth HTTP GET params HTTP POST params HTTP Headers XMPP - Jabber
HTTP GET params GET&http%3A%2F%2Fphotos.example.net %2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key %3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
HTTP HEADERS params GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm="http://photos.example.net/ photos" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa %2FWM%3D"
HTTP POST params POST /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa %2FWM%3D"
Ignore the details source: http://flic.kr/p/5NRADb
Libraries
Gems sudo gem install oauth github.com/mojodna/oauth
Plugins
Plugins ./script/plugin install git:// github.com/pelle/oauth-plugin.git github.com/pelle/oauth-plugin
OAuth on Rails rails osconrails -m rails-base-template.text cd osconrails ./script/plugin install git://github.com/pelle/oauth-plugin.git
Add the oauth-plugin ./script/generate oauth-plugin exists app/models/ create app/views/oauth create app/views/oauth_clients create app/models/client_application.rb create app/models/oauth_token.rb create app/models/request_token.rb create app/models/access_token.rb create app/models/oauth_nonce.rb create app/controllers/oauth_controller.rb create app/helpers/oauth_helper.rb create app/controllers/oauth_clients_controller.rb create app/helpers/oauth_clients_helper.rb create spec/models/client_application_spec.rb create spec/models/oauth_token_spec.rb create spec/models/oauth_nonce_spec.rb create spec/fixtures/client_applications.yml create spec/fixtures/oauth_tokens.yml create spec/fixtures/oauth_nonces.yml create spec/controllers/oauth_controller_spec_helper.rb create spec/controllers/oauth_controller_spec.rb create spec/controllers/oauth_clients_controller_spec.rb create app/views/oauth_clients/_form.html.erb create app/views/oauth_clients/new.html.erb create app/views/oauth_clients/index.html.erb create app/views/oauth_clients/show.html.erb
Update your routes ./config/routes.rb map.resources :oauth_clients map.authorize '/oauth/authorize',:controller=>'oauth',:action=>'authorize' map.request_token '/oauth/request_token',:controller=>'oauth',:action=>'request_token' map.access_token '/oauth/access_token',:controller=>'oauth',:action=>'access_token' map.test_request '/oauth/test_request',:controller=>'oauth',:action=>'test_request'
Filters for access control class ApiController < ApplicationController before_filter :login_or_oauth_required, :except => [:oauth_only_action] before_filter :oauth_required, :only => [:oauth_only_action]
That’s it!
Desert
Careful: nonce & timestamp
Careful: nonce & timestamp source: http://flic.kr/p/QtskX
Use separate DB’s source: http://flic.kr/p/6xtHZp
Signing with keys
Without Login
Privacy Wall
Privacy Wall
Privacy and the Law
Expire Tokens
CSRF & XSS - Careful!
Don’t Log Everything source: http://flic.kr/p/5VcQWT
Selective Logging source: http://flic.kr/p/5Zkwex
dev.riseup.net/privacy/ source: http://dev.riseup.net/privacy/
Except Telephony source: http://flic.kr/p/4DzMNu
Privacy is Freedom source: http://flic.kr/p/5anoq
Implementing Privacy OAuth & Token Madness evan@protest.net
Creative Commons Photos http://fireeagle.yahoo.net/developer/documentation/oauth_best_practice http://www.flickr.com/photos/stevenh/360015104/ http://www.flickr.com/photos/cdevers/2785041073/ http://www.flickr.com/photos/myklroventine/3355106480/ http://www.flickr.com/photos/itsallaboutmich/498340461/ http://www.flickr.com/photos/charlesfred/100392094/ http://www.flickr.com/photos/purplemattfish/3126383038/ http://www.flickr.com/photos/exlibris/1579580258/ http://www.flickr.com/photos/57231735@N00/212544472/ http://www.flickr.com/photos/maniya/541287799/ http://www.flickr.com/photos/santos/1704875109/ http://www.flickr.com/photos/alphadesigner/354044811/ http://www.flickr.com/photos/roby72/553640207/ http://www.flickr.com/photos/smb_flickr/392254853/ http://www.flickr.com/photos/eatingchips/3345052094 http://www.flickr.com/photos/koluso/2808523989/ http://www.flickr.com/photos/lwr/60496147/ http://www.flickr.com/photos/razowsky/2630970947/ http://www.flickr.com/photos/crazyneighborlady/355232758/ http://www.flickr.com/photos/mwichary/2648035941/ http://www.flickr.com/photos/zanotti/304312092/

Recommended

White paper on headloss prepared by Wapro AB
White paper on headloss prepared by Wapro ABWhite paper on headloss prepared by Wapro AB
White paper on headloss prepared by Wapro ABKerry Olsson
 
Ariadne Harvesting
Ariadne HarvestingAriadne Harvesting
Ariadne HarvestingBram Vandeputte
 
Michael 2010-08 09
Michael 2010-08 09Michael 2010-08 09
Michael 2010-08 09siloam
 
Infomappe job roller
Infomappe job rollerInfomappe job roller
Infomappe job rolleruwe duldinger, crossmedia
 
Digital Research at the British Library: Supporting our internal and external...
Digital Research at the British Library: Supporting our internal and external...Digital Research at the British Library: Supporting our internal and external...
Digital Research at the British Library: Supporting our internal and external...James Baker
 
Bandola típica Colombiana
Bandola típica ColombianaBandola típica Colombiana
Bandola típica ColombianaLeonardo Ceballos Vargas
 
Lean manufacturing 1
Lean manufacturing 1Lean manufacturing 1
Lean manufacturing 1General Electric
 
Día de Andalucía 2014- IES SALVADOR RUEDA
Día de Andalucía 2014- IES SALVADOR RUEDADía de Andalucía 2014- IES SALVADOR RUEDA
Día de Andalucía 2014- IES SALVADOR RUEDAMaria Luisa Sánchez Martín
 

Recommended

White paper on headloss prepared by Wapro AB
White paper on headloss prepared by Wapro ABWhite paper on headloss prepared by Wapro AB
White paper on headloss prepared by Wapro ABKerry Olsson
 
Ariadne Harvesting
Ariadne HarvestingAriadne Harvesting
Ariadne HarvestingBram Vandeputte
 
Michael 2010-08 09
Michael 2010-08 09Michael 2010-08 09
Michael 2010-08 09siloam
 
Infomappe job roller
Infomappe job rollerInfomappe job roller
Infomappe job rolleruwe duldinger, crossmedia
 
Digital Research at the British Library: Supporting our internal and external...
Digital Research at the British Library: Supporting our internal and external...Digital Research at the British Library: Supporting our internal and external...
Digital Research at the British Library: Supporting our internal and external...James Baker
 
Bandola típica Colombiana
Bandola típica ColombianaBandola típica Colombiana
Bandola típica ColombianaLeonardo Ceballos Vargas
 
Lean manufacturing 1
Lean manufacturing 1Lean manufacturing 1
Lean manufacturing 1General Electric
 
Día de Andalucía 2014- IES SALVADOR RUEDA
Día de Andalucía 2014- IES SALVADOR RUEDADía de Andalucía 2014- IES SALVADOR RUEDA
Día de Andalucía 2014- IES SALVADOR RUEDAMaria Luisa Sánchez Martín
 
Presentacion servicios (1)
Presentacion servicios (1)Presentacion servicios (1)
Presentacion servicios (1)Autónomo
 
Un universitario exitoso
Un universitario exitosoUn universitario exitoso
Un universitario exitosomgllanos
 
Nuevos avances en el tratamiento prostático
Nuevos avances en el tratamiento prostáticoNuevos avances en el tratamiento prostático
Nuevos avances en el tratamiento prostáticoIciar Silvestre Maldonado
 
Esposé ba
Esposé baEsposé ba
Esposé baEva Deutsch
 
Benzodiazepinas
BenzodiazepinasBenzodiazepinas
Benzodiazepinasdihet
 
Boletin Informativo 09 03 10
Boletin Informativo 09 03 10Boletin Informativo 09 03 10
Boletin Informativo 09 03 10guest2a1afa91
 
Critical Communications as a Service - Moving Whispir to the Cloud
Critical Communications as a Service - Moving Whispir to the CloudCritical Communications as a Service - Moving Whispir to the Cloud
Critical Communications as a Service - Moving Whispir to the CloudAmazon Web Services
 
Stilus corrector ortografico gramatical de estilo en espanol
Stilus corrector ortografico gramatical de estilo en espanolStilus corrector ortografico gramatical de estilo en espanol
Stilus corrector ortografico gramatical de estilo en espanolSngular Meaning
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerBlaine
 
OAuth
OAuthOAuth
OAuthBlaine
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuthApigee | Google Cloud
 
Resultats inca
Resultats incaResultats inca
Resultats incaJesus Estan
 
Scrum breakfast zürich 0411v3
Scrum breakfast zürich 0411v3Scrum breakfast zürich 0411v3
Scrum breakfast zürich 0411v3LOOP Organizational Consultancy
 
Negocio byas
Negocio byasNegocio byas
Negocio byasMarkting ML
 
Recortes de prensa 060913
Recortes de prensa 060913Recortes de prensa 060913
Recortes de prensa 060913Sff-cgt Cgt Málaga
 
Gilly enrique reinnova
Gilly enrique reinnovaGilly enrique reinnova
Gilly enrique reinnovaFIRASBD
 
CoDesign CMS.362/CMS.862 MIT Evolution of Product Design
CoDesign CMS.362/CMS.862 MIT Evolution of Product DesignCoDesign CMS.362/CMS.862 MIT Evolution of Product Design
CoDesign CMS.362/CMS.862 MIT Evolution of Product DesignRabble .
 
Building a Hacker Culture in Uruguay - OSCON 2011
Building a Hacker Culture in Uruguay - OSCON 2011Building a Hacker Culture in Uruguay - OSCON 2011
Building a Hacker Culture in Uruguay - OSCON 2011Rabble .
 
La Historia Secreta de Twitter & El Modelo de los Lean Startups
La Historia Secreta de Twitter & El Modelo de los Lean StartupsLa Historia Secreta de Twitter & El Modelo de los Lean Startups
La Historia Secreta de Twitter & El Modelo de los Lean StartupsRabble .
 
Ruby Culture
Ruby CultureRuby Culture
Ruby CultureRabble .
 
Finding the Middle Way of Testing
Finding the Middle Way of TestingFinding the Middle Way of Testing
Finding the Middle Way of TestingRabble .
 
Hacking Frequent Flyer Programs
Hacking Frequent Flyer ProgramsHacking Frequent Flyer Programs
Hacking Frequent Flyer ProgramsRabble .
 

More Related Content

Viewers also liked

Presentacion servicios (1)
Presentacion servicios (1)Presentacion servicios (1)
Presentacion servicios (1)Autónomo
 
Un universitario exitoso
Un universitario exitosoUn universitario exitoso
Un universitario exitosomgllanos
 
Nuevos avances en el tratamiento prostático
Nuevos avances en el tratamiento prostáticoNuevos avances en el tratamiento prostático
Nuevos avances en el tratamiento prostáticoIciar Silvestre Maldonado
 
Benzodiazepinas
BenzodiazepinasBenzodiazepinas
Benzodiazepinasdihet
 
Boletin Informativo 09 03 10
Boletin Informativo 09 03 10Boletin Informativo 09 03 10
Boletin Informativo 09 03 10guest2a1afa91
 
Critical Communications as a Service - Moving Whispir to the Cloud
Critical Communications as a Service - Moving Whispir to the CloudCritical Communications as a Service - Moving Whispir to the Cloud
Critical Communications as a Service - Moving Whispir to the CloudAmazon Web Services
 
Stilus corrector ortografico gramatical de estilo en espanol
Stilus corrector ortografico gramatical de estilo en espanolStilus corrector ortografico gramatical de estilo en espanol
Stilus corrector ortografico gramatical de estilo en espanolSngular Meaning
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerBlaine
 
Gilly enrique reinnova
Gilly enrique reinnovaGilly enrique reinnova
Gilly enrique reinnovaFIRASBD
 

Viewers also liked (16)

Presentacion servicios (1)
Presentacion servicios (1)Presentacion servicios (1)
Presentacion servicios (1)
 
Un universitario exitoso
Un universitario exitosoUn universitario exitoso
Un universitario exitoso
 
Nuevos avances en el tratamiento prostático
Nuevos avances en el tratamiento prostáticoNuevos avances en el tratamiento prostático
Nuevos avances en el tratamiento prostático
 
Esposé ba
Esposé baEsposé ba
Esposé ba
 
Benzodiazepinas
BenzodiazepinasBenzodiazepinas
Benzodiazepinas
 
Boletin Informativo 09 03 10
Boletin Informativo 09 03 10Boletin Informativo 09 03 10
Boletin Informativo 09 03 10
 
Critical Communications as a Service - Moving Whispir to the Cloud
Critical Communications as a Service - Moving Whispir to the CloudCritical Communications as a Service - Moving Whispir to the Cloud
Critical Communications as a Service - Moving Whispir to the Cloud
 
Stilus corrector ortografico gramatical de estilo en espanol
Stilus corrector ortografico gramatical de estilo en espanolStilus corrector ortografico gramatical de estilo en espanol
Stilus corrector ortografico gramatical de estilo en espanol
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over Webfinger
 
OAuth
OAuthOAuth
OAuth
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
 
Resultats inca
Resultats incaResultats inca
Resultats inca
 
Scrum breakfast zürich 0411v3
Scrum breakfast zürich 0411v3Scrum breakfast zürich 0411v3
Scrum breakfast zürich 0411v3
 
Negocio byas
Negocio byasNegocio byas
Negocio byas
 
Recortes de prensa 060913
Recortes de prensa 060913Recortes de prensa 060913
Recortes de prensa 060913
 
Gilly enrique reinnova
Gilly enrique reinnovaGilly enrique reinnova
Gilly enrique reinnova
 

More from Rabble .

CoDesign CMS.362/CMS.862 MIT Evolution of Product Design
CoDesign CMS.362/CMS.862 MIT Evolution of Product DesignCoDesign CMS.362/CMS.862 MIT Evolution of Product Design
CoDesign CMS.362/CMS.862 MIT Evolution of Product DesignRabble .
 
Building a Hacker Culture in Uruguay - OSCON 2011
Building a Hacker Culture in Uruguay - OSCON 2011Building a Hacker Culture in Uruguay - OSCON 2011
Building a Hacker Culture in Uruguay - OSCON 2011Rabble .
 
La Historia Secreta de Twitter & El Modelo de los Lean Startups
La Historia Secreta de Twitter & El Modelo de los Lean StartupsLa Historia Secreta de Twitter & El Modelo de los Lean Startups
La Historia Secreta de Twitter & El Modelo de los Lean StartupsRabble .
 
Ruby Culture
Ruby CultureRuby Culture
Ruby CultureRabble .
 
Finding the Middle Way of Testing
Finding the Middle Way of TestingFinding the Middle Way of Testing
Finding the Middle Way of TestingRabble .
 
Hacking Frequent Flyer Programs
Hacking Frequent Flyer ProgramsHacking Frequent Flyer Programs
Hacking Frequent Flyer ProgramsRabble .
 
Desde Software Libre Hacia Datos Abiertos
Desde Software Libre Hacia Datos AbiertosDesde Software Libre Hacia Datos Abiertos
Desde Software Libre Hacia Datos AbiertosRabble .
 
Sobre Hombros de Gigantes: Desarrollo de tecnología y la historia secreto de...
Sobre Hombros de Gigantes: Desarrollo de tecnología y la historia secreto de...Sobre Hombros de Gigantes: Desarrollo de tecnología y la historia secreto de...
Sobre Hombros de Gigantes: Desarrollo de tecnología y la historia secreto de...Rabble .
 
Beyond Testing: Specs and Behavior Driven Development
Beyond Testing: Specs and Behavior Driven DevelopmentBeyond Testing: Specs and Behavior Driven Development
Beyond Testing: Specs and Behavior Driven DevelopmentRabble .
 
Beyond REST? Building Data Services with XMPP PubSub
Beyond REST? Building Data Services with XMPP PubSubBeyond REST? Building Data Services with XMPP PubSub
Beyond REST? Building Data Services with XMPP PubSubRabble .
 
Liberating Location - Fire Eagle - Ecomm 2008
Liberating Location - Fire Eagle - Ecomm 2008Liberating Location - Fire Eagle - Ecomm 2008
Liberating Location - Fire Eagle - Ecomm 2008Rabble .
 
Testing Legacy Rails Apps
Testing Legacy Rails AppsTesting Legacy Rails Apps
Testing Legacy Rails AppsRabble .
 
Introduction to Active Record at MySQL Conference 2007
Introduction to Active Record at MySQL Conference 2007Introduction to Active Record at MySQL Conference 2007
Introduction to Active Record at MySQL Conference 2007Rabble .
 
Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007Rabble .
 
Phone Communities and Activism Showcase
Phone Communities and Activism ShowcasePhone Communities and Activism Showcase
Phone Communities and Activism ShowcaseRabble .
 

More from Rabble . (15)

CoDesign CMS.362/CMS.862 MIT Evolution of Product Design
CoDesign CMS.362/CMS.862 MIT Evolution of Product DesignCoDesign CMS.362/CMS.862 MIT Evolution of Product Design
CoDesign CMS.362/CMS.862 MIT Evolution of Product Design
 
Building a Hacker Culture in Uruguay - OSCON 2011
Building a Hacker Culture in Uruguay - OSCON 2011Building a Hacker Culture in Uruguay - OSCON 2011
Building a Hacker Culture in Uruguay - OSCON 2011
 
La Historia Secreta de Twitter & El Modelo de los Lean Startups
La Historia Secreta de Twitter & El Modelo de los Lean StartupsLa Historia Secreta de Twitter & El Modelo de los Lean Startups
La Historia Secreta de Twitter & El Modelo de los Lean Startups
 
Ruby Culture
Ruby CultureRuby Culture
Ruby Culture
 
Finding the Middle Way of Testing
Finding the Middle Way of TestingFinding the Middle Way of Testing
Finding the Middle Way of Testing
 
Hacking Frequent Flyer Programs
Hacking Frequent Flyer ProgramsHacking Frequent Flyer Programs
Hacking Frequent Flyer Programs
 
Desde Software Libre Hacia Datos Abiertos
Desde Software Libre Hacia Datos AbiertosDesde Software Libre Hacia Datos Abiertos
Desde Software Libre Hacia Datos Abiertos
 
Sobre Hombros de Gigantes: Desarrollo de tecnología y la historia secreto de...
Sobre Hombros de Gigantes: Desarrollo de tecnología y la historia secreto de...Sobre Hombros de Gigantes: Desarrollo de tecnología y la historia secreto de...
Sobre Hombros de Gigantes: Desarrollo de tecnología y la historia secreto de...
 
Beyond Testing: Specs and Behavior Driven Development
Beyond Testing: Specs and Behavior Driven DevelopmentBeyond Testing: Specs and Behavior Driven Development
Beyond Testing: Specs and Behavior Driven Development
 
Beyond REST? Building Data Services with XMPP PubSub
Beyond REST? Building Data Services with XMPP PubSubBeyond REST? Building Data Services with XMPP PubSub
Beyond REST? Building Data Services with XMPP PubSub
 
Liberating Location - Fire Eagle - Ecomm 2008
Liberating Location - Fire Eagle - Ecomm 2008Liberating Location - Fire Eagle - Ecomm 2008
Liberating Location - Fire Eagle - Ecomm 2008
 
Testing Legacy Rails Apps
Testing Legacy Rails AppsTesting Legacy Rails Apps
Testing Legacy Rails Apps
 
Introduction to Active Record at MySQL Conference 2007
Introduction to Active Record at MySQL Conference 2007Introduction to Active Record at MySQL Conference 2007
Introduction to Active Record at MySQL Conference 2007
 
Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007Introduction to Active Record - Silicon Valley Ruby Conference 2007
Introduction to Active Record - Silicon Valley Ruby Conference 2007
 
Phone Communities and Activism Showcase
Phone Communities and Activism ShowcasePhone Communities and Activism Showcase
Phone Communities and Activism Showcase
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Implimenting Privacy: OAuth and Token Madness

Editor's Notes

  1. Privacy. It&amp;#x2019;s a tricky idea. It&amp;#x2019;s really to try and protect the interests and information of our users. As they want.
  2. Or sometimes what we do is provide the perception of privacy. This is what a privacy policy is, Nobody reads it, so what it really does is provide the perception that there is privacy.
  3. Many users don&amp;#x2019;t want to appear in public at all, or they want to be able to delete their users and associated information. Perhaps they don&amp;#x2019;t want everybody to know they&amp;#x2019;re in the furries flickr group.
  4. Some people value privacy over all else. They might wear a burka or use tor.
  5. People use the internet for many things. What ever application you&amp;#x2019;re building, could unwittingly become a space for free speech. What happens if the government asks for your database? What if it&amp;#x2019;s legal in your country, but illegal in another?
  6. For example, it&amp;#x2019;s illegal to insult or mock the Pope in Italy. If you can publish photos on your website, then the Italian government could demand to know the identity of the poster. If they posted this image from italy they&amp;#x2019;d be committing a crime.
  7. Another example, in Argentina, their national hero is Diego Maradona a soccer star. It&amp;#x2019;s illegal to publish real or photoshoped porn with Maradona in it. Protected speech in one country is illegal speech in others.
  8. Here in the US for example there&amp;#x2019;s a great tradition of free speech with some rather odd limitations. For example you can&amp;#x2019;t say, i want to shoot the president....
  9. Unless you&amp;#x2019;re talking about somebody else&amp;#x2019;s president. No problem wanting to kill the cuban or iranian president.
  10. Show a picture of the mouse. The most common example of free speech limits in the US are mostly commercial limits.
  11. Beyond problems with corporations and governments, you&amp;#x2019;ve got the hacker problem. They really want to get at our users and systems. In all of our work we&amp;#x2019;ve got to think about what kinds of attacks we might face in production.
  12. Right now we use email as the primary way of logging in to systems. It&amp;#x2019;s the core of the identity system online right now.
  13. The majority of people use a single email account for everything. The protection of this email is very important.
  14. When somebody has access to your email, they&amp;#x2019;ve got access to everything.
  15. With email accounts we can reclaim passwords for online banking systems. With this access we can eventually take money out of a users bank accounts. A users email account is the real key to paypal and online banking.
  16. One of the reasons there are so many problems with spam, and phishing sites is that hackers really want to get at users email accounts.
  17. We use email for all of our internal documents which used to be on a desktop. Now they are in the cloud, and email is guarding them.
  18. So with email being so important, so essential to a user&amp;#x2019;s life online, to their bank accounts and internal company documents. WHY do we build things like this. We teach users to share their passwords!
  19. Fail, really, we as web developers, as a community, are failing out users.
  20. But there is salvation, a way out. We don&amp;#x2019;t have to persist with this nightmare.
  21. In reality, there are a ton of authorization systems which don&amp;#x2019;t use email addresses and passwords.
  22. Each one does more or less the same thing in slightly different ways.
  23. What are these token things we talk about? There&amp;#x2019;re little things we use to represent access, kind of like a subway token.
  24. Well kind of like coins, but each token is unique
  25. More like symbols, which can be used to represent something without it being the thing.
  26. The trick with all the delegated token authorization systems is that they DON&amp;#x2019;T pass the password with teach request. They use a token, and a secret. The secret is used in the signature but not passed over the wire.
  27. It&amp;#x2019;s more this kind of signature. Crypto. HMAC or RSA SHA1.
  28. So what does this look like, well we use the token and the hash key secret.
  29. We use the combination of the token and then the secret as the has key to sign the token, well not just the token, but the whole request.
  30. Then that signature is created as a param which can be passed in the requests.
  31. So you end up something like this. The token, and the signature is passed over the wire. The secret is kept on both ends to verify the signature.
  32. So this delegated token authorization. There are 20 different types. Each one is sufficiently different that you have to build up the libraries from scratch. Each auth system needs a library in every language.
  33. There is now one delegated token auth system to rule them all. Based on all the best practices of the past.
  34. The original idea of OAuth would be that it&amp;#x2019;s super simple, clear, everybody could read the standard and understand. It was nice and clear. Little by little in the standards process the standards people from IETF and W3C got involved. Now the spec is full of diagrams like this!
  35. All this is to say that OAuth is like a love triangle. That is to say that the relationship between he provider, end user, and consumer is a love triangle. Each part communicates with both of the other parts.
  36. Normally oauth has three legs, the user, the provider, and the consumer. But it&amp;#x2019;s possible to use oauth to remove the user from the equation. Creating 2 legged oauth.
  37. In 2 legged oauth there is the same libraries and toke signing between the consumer and the provider. Yahoo for example uses this model to control access to web services which are accessed on application&amp;#x2019;s own behalf. There doesn&amp;#x2019;t have to be a user. OAuth&amp;#x2019;s standardized signing / anti replay attacks are useful for many APIS.
  38. Great, but what&amp;#x2019;s it like for the user? Very simple. Here we&amp;#x2019;re going to walk through a MovableType client application getting the user to authorize Fire Eagle to share the user&amp;#x2019;s location.
  39. So when we click the connect link, we&amp;#x2019;re taking to fire eagle, which asks us to login.
  40. Then once we&amp;#x2019;re logged in we get a confirmation page.
  41. The request is made with a provisional request token, which tells us among other things what application is being authorized. The user then can see that application that they are going to authorize.
  42. It&amp;#x2019;s possible at this stage for the provider to ask for preferences to constrain the permissions of the application. For example, can publish but not delete. This is very important because it&amp;#x2019;s something you couldn&amp;#x2019;t do if you handed over the user name and password to the client application. It&amp;#x2019;d be full control or nothing.
  43. And after preferences, the user can choose to approve or deny the authorization of the application to their protected resources.
  44. After a user hits confirm, they&amp;#x2019;re redirected back to the consumer based on the callback url assigned, and as far as the user is concerned the association is setup.
  45. For the user the whole process is 4 clicks. Behind these simple 4 clicks is a token dance between the consumer, provider, and end user.
  46. the application asks for a request token
  47. the application asks for a request token la aplicaci&amp;#xF3;n inicia el intercambio del request token
  48. the application asks for a request token la aplicaci&amp;#xF3;n inicia el intercambio del request token
  49. the application asks for a request token la aplicaci&amp;#xF3;n inicia el intercambio del request token
  50. the application asks for a request token la aplicaci&amp;#xF3;n inicia el intercambio del request token
  51. the application asks for a request token la aplicaci&amp;#xF3;n inicia el intercambio del request token
  52. the application asks for a request token la aplicaci&amp;#xF3;n inicia el intercambio del request token
  53. the application asks for a request token
  54. That was the token dance for web applications. There is a similar but slightly different process for desktop and out of band applications like browserless mobile phones and embedded systems like an arduino.
  55. All of the oauth params start with the oauth_* prefix.
  56. As we saw before, there are keys (tokens) and secrets. The consumer application or library itself has a token secret part, in addition to a user&amp;#x2019;s access token and secret. The key is passed with each request, and the consumer secret is used for signing every request.
  57. The tokens are just random strings which should be unique.
  58. Then we require that each request have a timestamp and nonce. The timestamp is an integer which needs to increment. The nonce is a unique number/string which can&amp;#x2019;t be reused with the same timestamp. The combination of these, and the signing prevents replay attacks.
  59. The last couple define the signing method, this could be public key, but usually it&amp;#x2019;s HMAC-SHA1. Then the version of oauth, which despite the current standard being 1.0a the standard says you should still say 1.0. Then the actual signature of the request.
  60. OAuth signing and authorization can go over
  61. Hay mucho formas de hacer una request de OAuth.
  62. Hay mucho formas de hacer una request de OAuth.
  63. Hay mucho formas de hacer una request de OAuth.
  64. tambi&amp;#xE9;n puede poner todo los params en el HTTP POST.
  65. por que tenemos liberias para hacer todo los detalles en todo los lenguajes. El primero implementaci&amp;#xF3;n de OAuth fue en Ruby para aplicaciones de rails. Ahora todo los plataformas tiene apoyo para OAuth.
  66. por que tenemos liberias para hacer todo los detalles en todo los lenguajes. El primero implementaci&amp;#xF3;n de OAuth fue en Ruby para aplicaciones de rails. Ahora todo los plataformas tiene apoyo para OAuth.
  67. En nuestra caso, tenemos un muy buen gems para OAuth.
  68. So you simply add the plugin to your rails app.
  69. It adds a ton of files to your system to handle all the oauth process. You&amp;#x2019;re going to want to customize the templates.
  70. Add the routes to make all the oauth requests make sense. These urls are set, there is a discovery process by which you can use alternate oauth urls but it&amp;#x2019;s best if you can to just keep them standard.
  71. The last thing you need to do is add before filters requiring authorization for the the actions and resources you need to protect.
  72. In terms of OAuth, that&amp;#x2019;s it. It&amp;#x2019;s simple to create a basic provider and consumer.
  73. So that&amp;#x2019;s enough to get over to using oauth in your apis. Getting to oauth is important, but it&amp;#x2019;s not the end of building systems which respect privacy.
  74. Remember how i was talking about the nonce and timestamp? Well Nonce in British slang is a pedophile, but it&amp;#x2019;s got another meaning. It&amp;#x2019;s a one time number. The OAuth spec says you have to provide a nonce and timestamp, but they don&amp;#x2019;t require that you check them.
  75. what you want to do is make sure that the timestamp always the same or higher by some amount, and that the nonce for that timestamp &amp; consumer hasn&amp;#x2019;t been used before. You don&amp;#x2019;t have to store all past nonces.
  76. Don&amp;#x2019;t even store your auth credentials in the same databases as you&amp;#x2019;re using for the rest of your application. Use metal, or a proxy to authorize the requests, then pass that through to your apis. This is kind of similar to what google and yahoo do where the authentication and authorization systems are divided off from the production application itself.
  77. While it&amp;#x2019;s recommended to use HMAC-SHA1, it&amp;#x2019;s possible to use other forms of signing. Google for example uses RSA public / private keys for it&amp;#x2019;s oauth. If a provider passes everything over ssl it&amp;#x2019;s possible to use the unsigned PLAINTEXT signing method. :)
  78. Sometimes you need the data for a single use. Don&amp;#x2019;t do a login at at all, just store the keys in the cookie, once the user leaves and the tokens disappear.
  79. One thing you can do is use the authorization and tokens to make a wall between your user profiles and their associated data. That way you can only get foreign key when a user or authorized application is actively using the service. Wesabe and Fire Eagle both use this style system.