Security happenings
October 31st, 2008
I saw Ben Laurie’s post on J-PAKE, and I’m intrigued now that I’ve looked into it. I’m not a cryptographer, so I would be interested to hear a comparison of J-PAKE against SRP. The goals look similar, and I’m not attached to any particular solution.
Unfortunately, I read Ben’s post at the Denver airport. They use a proxy that inserts ads into the page:
MAC anyone?
I wonder if HTTP traffic in the clear with some sort of signature or MAC could ever work. I tend to think it would be hopelessly mangled by intermediaries, and lead to a new species of Whatever Button.
Eran Hammer-Lahav left a comment chiding me for my undoubtably unoriginal point that OAuth seems to encourage phishing. I’m a little disturbed by the thinking behind the objection. Sometimes, proposals have flaws that make them unworkable, and it seems to me that OAuth might have just such a flaw with regard to phishing, at least as it is presented today. Preventing legitimate sites from needing write access to user data on other sites is a noble goal, but it might not matter much if there’s no way for the user to tell that’s what’s going on.
November 3rd, 2008 at 6:58 am
We can’t even get HTTP Pipelining enabled over SSL due to broken reverse proxies. Short of writing a new HTTP, I have a hard time seeing any innovation happening there. Maybe that Waka stuff isn’t so crazy after all…