Hey Harry, The BasicSecurityToken class is actually production ready, the basic implies that you could replace it with your own implementation if you wanted too, but it's not required to do so to get a secure situation.
That is, as long as you disable 'allow_plaintext_token' and set the 'token_cipher_key' and 'token_hmac_key' to hard to guess random strings (make sure to update these in both partuza's and shindig's configs). As long as the keys are hard to guess (random generated strings work better there then dictionary words for instance), a 'hacker' would have a very, very hard time guessing the correct cipher and hmac keys, especially since a brute force method would have to check every possible key combination against the social end point of the social site, which after a few million requests with invalid security tokens is bound to get noticed :) Also having to test every possible key over the internet severely limits the amount of keys/second (s)he could test. About the potential impact, yeah *if* a token was guessable, a remote party could access the social data on the social networking site pretending to be a real user, either through a gadget, or more likely through the REST interface; But again the chances of this happening are very unlikely, as long as you disable the plain text token, and set proper cipher and hmac keys. -- Chris On Wed, Jan 21, 2009 at 11:12 AM, <[email protected]> wrote: > Hi, > > I have a question about securitytokens. > Using the class BasicSecurityToken to generate tokens is only thought to be > used for testing purposes. > Digging through the partuza code, I have seen the usage of this in Partuza > too. > I am wondering how a site can be vulnerable, if the generated token is not > secure? > > My assumption: > Any hacker makes a request to a container he wants to affect. For this he > writes a gadget to read all the opensocial data via opensocial api calls. > To get access to the gadget container he generates the same token the > container site would create. So he is able to read all the opensocial data > of the container. > > Is this right? > > Thanks > Harry > > > Jetzt komfortabel bei Arcor-Digital TV einsteigen: Mehr Happy Ends, mehr > Herzschmerz, mehr Fernsehen! Erleben Sie 50 digitale TV Programme und > optional 60 Pay TV Sender, einen elektronischen Programmführer mit Movie > Star Bewertungen von TV Movie. Außerdem, aktuelle Filmhits und spannende > Dokus in der Arcor-Videothek. Infos unter www.arcor.de/tv >
