Aaron Parecki

Darius Kazemi https://friend.camp/@darius • Jan 23
Tomorrow I go to San Francisco for a few days. Then home for a week. Then back to San Francisco for a week

Come to home brew website club tomorrow night! I will hopefully be there too! http://tantek.com/2019/023/e1/homebrew-website-club-sf

San Francisco, California • 57°F

1 like 1 reply

Tue, Jan 22, 2019 6:19pm -08:00
at California Pizza Kitchen

San Francisco, California • Tue, January 22, 2019 6:00pm

37.786859 -122.402565

San Francisco, CA, United States • 58°F

7 Coins

Tue, Jan 22, 2019 6:00pm -08:00
at Novela

San Francisco, California • Tue, January 22, 2019 5:12pm

37.786927 -122.401246

San Francisco, CA, United States • 60°F

8 Coins

Tue, Jan 22, 2019 5:12pm -08:00
Soni L. https://cybre.space/@SoniEx2 • Jan 23
@aaronpk idea:
... don't use oauth?

... now you've got 2^128 problems

San Francisco, California • 60°F

Tue, Jan 22, 2019 4:45pm -08:00
alianora https://cybre.space/@nightpool • Jan 23
@aaronpk I agree, but there's a whole section on "HTTPS requests can be intercepted from mobile apps" that most developers will just ignore because they believe they Figured It Out

ah yeah fair point. i'll mention that when i do the video version of this :-)

San Francisco, California • 59°F

Tue, Jan 22, 2019 4:41pm -08:00
alianora https://cybre.space/@nightpool • Jan 23
@aaronpk also, your blog post doesn't immediately address the pinning case—lots of mobile apps pin their certificates now (which, again, is only as secure as far as the computing platform is .....)

that solves a completely different problem (and creates new problems), but isn't related to the challenge of how to avoid embedding secrets

San Francisco, California • 59°F

1 reply

Tue, Jan 22, 2019 4:38pm -08:00
alianora https://cybre.space/@nightpool • Jan 23
@aaronpk ....... who would ever assume this

you'd be surprised how much of web security is not immediately obvious to people

San Francisco, California • 59°F

1 reply

Tue, Jan 22, 2019 4:33pm -08:00
Darius Kazemi https://friend.camp/@darius

@aaronpk Heh. As we used to say at the MMORPG company I used to work at: if it's on the client, assume it's compromised.

San Francisco, California • 59°F

Wed, Jan 23, 2019 12:24am +00:00 (liked on Tue, Jan 22, 2019 4:25pm -08:00)
If you've ever needed a link to send someone to explain why OAuth secrets aren't safe in mobile apps, I made you a thing: https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps

San Francisco, California, USA • 59°F

13 likes 10 reposts 3 replies

Tue, Jan 22, 2019 4:09pm -08:00 #oauth #oauth2 #api #security
Fred Emmott https://twitter.com/fredemmott • Jan 14
Does anyone have an approachable article for "don't trust the client"? Best I've found is the OAuth threat model RFC (RFC 6819), but it's a bit too long to ask others to read for a quick overview :) (not work related)

I just wrote this up since I couldn't find a good answer online! https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps

Hope it helps!

San Francisco, California, USA • 69°F

1 like 1 repost

Tue, Jan 22, 2019 3:47pm -08:00
at La Capra Coffee

San Francisco, California • Tue, January 22, 2019 3:42pm

37.790688 -122.397467

San Francisco, CA, United States • 69°F

7 Coins

Tue, Jan 22, 2019 3:42pm -08:00
at Okta SF4

San Francisco, California • Tue, January 22, 2019 3:11pm

37.789283 -122.397535

First time visiting the new office

San Francisco, CA, United States • 69°F

1 like 42 Coins

Tue, Jan 22, 2019 3:11pm -08:00
at ThoughtWorks Inc

San Francisco, California • Tue, January 22, 2019 2:00pm

37.784498 -122.404887

San Francisco, CA, United States • 61°F

5 Coins

Tue, Jan 22, 2019 2:00pm -08:00
Vincent Pickering https://twitter.com/vincentlistens • Jan 22
Or Is it just that it only holds on to a fixed number of mentions?

Even though my site uses webmention.io as its endpoint, I use the web hooks to push all the responses to my site where it stores its own copy of them.

San Francisco, California, USA • 59°F

1 like

Tue, Jan 22, 2019 1:32pm -08:00
Vincent Pickering https://twitter.com/vincentlistens • Jan 22
Or Is it just that it only holds on to a fixed number of mentions?

Neither. The dashboard only shows the latest few, but that's just me being lazy and not giving you a UI to page through older ones. It stores them all forever, and I have no plans to delete old ones there.

But you're right that you should copy that data to your own site somehow!

San Francisco, California, USA • 59°F

1 like

Tue, Jan 22, 2019 1:31pm -08:00
at zpizza

San Francisco, California • Tue, January 22, 2019 1:00pm

37.783204 -122.406138

San Francisco, CA, United States • 59°F

21 Coins

Tue, Jan 22, 2019 1:00pm -08:00
Taxi

27.64mi
Distance

31:35
Duration

12:24pm
Start

12:55pm
End

San Francisco, California • 59°F

Tue, Jan 22, 2019 12:55pm -08:00
at Guardant Health

Redwood City, California • Tue, January 22, 2019 8:40am

37.500542 -122.21802

Redwood City, CA, United States

1 Coin

Tue, Jan 22, 2019 8:40am -08:00
Taxi

28.01mi
Distance

75:36
Duration

7:23am
Start

8:39am
End

Redwood City, California • 44°F

Tue, Jan 22, 2019 8:39am -08:00
at Equator Coffees & Teas

San Francisco, California • Tue, January 22, 2019 7:02am

37.782598 -122.410218

San Francisco, CA, United States • 50°F

9 Coins

Tue, Jan 22, 2019 7:02am -08:00

older