Comments

The capabilities of today’s browsers are not sufficient for meeting the security needs of web applications requiring authentication and payments. One of the two primary deficiencies is that content from one site cannot be adequately sandbox when executed on a relying web site. Yet embedding such third party micro-apps has become commonplace. The second deficiency is the reliance on passwords, as is so eloquently described by this post from Eevee.

Take making a PayPal transaction at a merchant web site as an example of the first deficiency. To make this work the merchant web site must redirect the user to PayPal’s web site where he or she then authenticates and authorizes the payment. The user is taken out of context, away from the merchant’s web site, with the possibility of being subject to phishing. This is done because any PayPal code running within the context of the merchant’s site would not be secure: PayPal and the merchant cannot isolate each other’s code.

Read on →
Comments

My personal blog began life on Blogger and was switched to Posterous in late 2010. The switch to Posterous was driven by an interest in easier media publishing, but I haven’t found Posterous to have lived up to my hopes. In particular I’ve found performance of their site to be a bit lacking, and have been disappointed that basic editing features have not evolved.

Being adventurous, and now having to support multiple web sites, I thought I’d experiment with Jekyll and Octopress and see what their limits are. I know this is not going to provide an improved editing experience, but this will address performance issues and provide a place for me to experiment.

Read on →
Comments

Facebook put out an infograph revealing that 600,000 identities are compromised per day. That’s a lot of identities. Continuing from a previous post of mine, you could perhaps conclude that Facebook Connect is suitable for casual identity, but not for strong identity.

It’s not that Facebook isn’t trying to protect identities.The infograph reveals an impressive array of risk management tools. Facebook certainly look like they are setting themselves up to be a strong identity provider.

I suggest that the casual value of Facebook to most people is what gets in the way of Facebook acting as a strong identity source. People chose weaker passwords and are less inclined to be serious about account recovery steps then they would be with a bank, PayPal or even email account. A second issue is that users are more susceptible to phishing and spam issues by virtue of Facebook being a popular target with a large attack surface. Not to mention that users may be a little wary of Facebook’s track record of leaky privacy and therefore less willing to give up vital data needed to protect their identity (e.g. cell phone numbers and security questions).

For a further examination of the issue of Facebook identity compromises please read this Sophos article.

Comments

It would seem that PayPal is now an identity provider. I’m not surprised, and in fact I think it’s a good move. I said as much in a post nine months ago.

Think of it: if you want a strong identity, you want one that is backed by financial information. That makes banks great natural identity providers. But financial institutions don’t seem to be interested in this space, and/or regulatory issues are in the way.

Read on →
Comments

There is absolutely no better way to get around an urban core then by bicycle. Walking limits your range and is tiring, while cars can get you caught in grid lock and are a hassle and expensive to park. Being on a bike, however is massively liberating as you sit comfortably upright, weave around traffic, cruise by blocks and blocks of great sites, and noodle into places not accessible by car. The problem is that taking a bike with you when travelling to a city is largely impractical. An added problem is locking the bike up.

Enter Bixi. Bixi is a system running in Montreal, Toronto and Ottawa that allows you to pay just $5 a day for unlimited access to a bike. That’s a bargain, but the system is more interesting then this. With Bixi you take a bike out from any number of conveniently located lockup stations, usually about three blocks apart from each other, then park it at the same or any another station. You are required to check your bike in every 30 minutes else you ring up penalty charges: this is presumably to encourage you to use the bike for point to point travel and to make sure the stock of bikes at stations doesn’t drain low.

Read on →
Comments

GPUs have brought brute force breaking of any 7 character random alphanumeric password down to a maximum of 17.5 minutes, as compared to 4 days with a CPU. For 8 characters it takes 18.5 hours with a CPU, or 1 year with a CPU. This is what Vijay Devakumar found when he used a GPU card and the free password hash cracker called ighashgpu to crack the NTLM password hash, which is used when logging in to Windows.

Read on →
Comments

The last few weeks I’ve had disk corruption issues on my two year old Macbook Pro’s original internal hard drive. The machine and drive still worked, but I needed to bring the machine into the Genius Bar to get a hard disk replacement.

In preparation I dutifully backed up my machine via Time Machine to an attached Firewire drive at least every day. I dutifully backed up my source code to a remote server with git. I added a third layer of backup to my local NAS device using Chronosync.

Time Machine and git failed me. Chronosync saved me. If not for Chronosync I would have lost a full week’s worth of very intense coding, affecting dozens and dozens of files. I did still loose the revision history for these changes.

Read on →
Comments

Peter Bright posted a terrific piece over at Ars Technica describing the fraudulent issuance of nine high value SSL certificates by Comodo. This included such top level domain certificates as www.google.com, login.yahoo.com and login.skype.com and addons.mozilla.org. Other equally good reads are the Tor site detection of the problem and Comodo’s explanation. I’m sure Comodo’s CEO, Melih Abdulhayoglu, is having fun this week.

The case reveals the instrinsic problems with PKI that we’ve all been aware of for a long time.

I am a bit surprised by a couple of things, though suprised is perhaps too strong a word. Read on →

There is an interesting post by Om Malik over at GigaOm suggesting how Google can get it mojo back from Facebook.

Taking a slight spin on this, I make the observation that a large part of Facebook’s value is your identity and your associations and Facebook’s willingness to leverage this information elsewhere on the web (Facebook Connect). Facebook Connect is becoming the most common way to login to other sites. The reputation of your identity is increased by your associations: it requires a consipricy to create a fake Facebook account and have N friends, the presence of which increases your identity’s reputation.

Read on →