Hi Chris,
thanks for your answer.
I have searched the config entries. They are only available in the
container.php file. I am working with the java version. Is there some
similar mechanism?
Thanks
Harry
Am 21.01.2009 um 15:05 schrieb Chris Chabot:
Hey Harry,
The BasicSecurityToken class is actually production ready, the
basic implies
that you could replace it with your own implementation if you
wanted too,
but it's not required to do so to get a secure situation.
That is, as long as you disable 'allow_plaintext_token' and set the
'token_cipher_key' and 'token_hmac_key' to hard to guess random
strings
(make sure to update these in both partuza's and shindig's configs).
As long as the keys are hard to guess (random generated strings
work better
there then dictionary words for instance), a 'hacker' would have a
very,
very hard time guessing the correct cipher and hmac keys,
especially since a
brute force method would have to check every possible key combination
against the social end point of the social site, which after a few
million
requests with invalid security tokens is bound to get noticed :)
Also having
to test every possible key over the internet severely limits the
amount of
keys/second (s)he could test.
About the potential impact, yeah *if* a token was guessable, a
remote party
could access the social data on the social networking site
pretending to be
a real user, either through a gadget, or more likely through the REST
interface; But again the chances of this happening are very
unlikely, as
long as you disable the plain text token, and set proper cipher and
hmac
keys.
-- Chris
On Wed, Jan 21, 2009 at 11:12 AM, <[email protected]> wrote:
Hi,
I have a question about securitytokens.
Using the class BasicSecurityToken to generate tokens is only
thought to be
used for testing purposes.
Digging through the partuza code, I have seen the usage of this in
Partuza
too.
I am wondering how a site can be vulnerable, if the generated
token is not
secure?
My assumption:
Any hacker makes a request to a container he wants to affect. For
this he
writes a gadget to read all the opensocial data via opensocial api
calls.
To get access to the gadget container he generates the same token the
container site would create. So he is able to read all the
opensocial data
of the container.
Is this right?
Thanks
Harry
Jetzt komfortabel bei Arcor-Digital TV einsteigen: Mehr Happy
Ends, mehr
Herzschmerz, mehr Fernsehen! Erleben Sie 50 digitale TV Programme und
optional 60 Pay TV Sender, einen elektronischen Programmführer mit
Movie
Star Bewertungen von TV Movie. Außerdem, aktuelle Filmhits und
spannende
Dokus in der Arcor-Videothek. Infos unter www.arcor.de/tv
