Soni L.
https://cybre.space/@SoniEx2
•
Jan 23
@aaronpk idea:
... don't use oauth?
WeChat ID
aaronpk_tv
-
... now you've got 2^128 problems -
alianora
https://cybre.space/@nightpool
•
Jan 23
@aaronpk I agree, but there's a whole section on "HTTPS requests can be intercepted from mobile apps" that most developers will just ignore because they believe they Figured It Out
ah yeah fair point. i'll mention that when i do the video version of this :-) -
alianora
https://cybre.space/@nightpool
•
Jan 23
@aaronpk also, your blog post doesn't immediately address the pinning case—lots of mobile apps pin their certificates now (which, again, is only as secure as far as the computing platform is .....)
that solves a completely different problem (and creates new problems), but isn't related to the challenge of how to avoid embedding secrets -
you'd be surprised how much of web security is not immediately obvious to people
-
@aaronpk Heh. As we used to say at the MMORPG company I used to work at: if it's on the client, assume it's compromised.
-
If you've ever needed a link to send someone to explain why OAuth secrets aren't safe in mobile apps, I made you a thing: https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps
-
Fred Emmott
https://twitter.com/fredemmott
•
Jan 14
Does anyone have an approachable article for "don't trust the client"? Best I've found is the OAuth threat model RFC (RFC 6819), but it's a bit too long to ask others to read for a quick overview :) (not work related)
I just wrote this up since I couldn't find a good answer online! https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps
Hope it helps! -
San Francisco, California • Tue, January 22, 2019 3:42pm
-
at Okta SF4San Francisco, California • Tue, January 22, 2019 3:11pmFirst time visiting the new office
-
San Francisco, California • Tue, January 22, 2019 2:00pm
-
Vincent Pickering
https://twitter.com/vincentlistens
•
Jan 22
Or Is it just that it only holds on to a fixed number of mentions?
Even though my site uses webmention.io as its endpoint, I use the web hooks to push all the responses to my site where it stores its own copy of them. -
Vincent Pickering
https://twitter.com/vincentlistens
•
Jan 22
Or Is it just that it only holds on to a fixed number of mentions?
Neither. The dashboard only shows the latest few, but that's just me being lazy and not giving you a UI to page through older ones. It stores them all forever, and I have no plans to delete old ones there.
But you're right that you should copy that data to your own site somehow! -
at zpizzaSan Francisco, California • Tue, January 22, 2019 1:00pm
-
Taxi
27.64miDistance31:35DurationStartEnd
-
Redwood City, California • Tue, January 22, 2019 8:40am
-
Taxi
28.01miDistance75:36DurationStartEnd
-
San Francisco, California • Tue, January 22, 2019 7:02am
-
AsleepAwake8h 50mSlept57mAwake for
-
-
Upgrading my Monthly Summary Pages
Inspired by cleverdevil's monthly summary pages, I started working on my own version of them on my website!continue reading...
