WeChat ID
aaronpk_tv
-
San Francisco, California • Wed, January 23, 2019 7:32am -
Walk
1.25miDistance22:16DurationStartEnd
-
-
Walk
0.26miDistance4:27DurationStartEnd
-
AsleepAwake8h 57mSlept59mAwake for
-
I Tried to Block Amazon From My Life. It Was Impossible. (gizmodo.com)"Its global empire also includes Amazon Web Services (AWS), the vast server network that provides the backbone for much of the internet, as well as Twitch.tv, the broadcasting behemoth that is the backbone of the online gaming industry, and Whole Foods, the organic backbone of the yuppie diet. "
-
San Francisco, California • Tue, January 22, 2019 6:55pmCalling it a night
-
Veggie Pizza
-
@aaronpk Oh awesome, I will almost certainly be there.
I would, uh, RSVP except.... um maybe my goal for the event will be to figure out how to RSVP to events
-
Darius Kazemi
https://friend.camp/@darius
•
Jan 23
Tomorrow I go to San Francisco for a few days. Then home for a week. Then back to San Francisco for a week
Come to home brew website club tomorrow night! I will hopefully be there too! http://tantek.com/2019/023/e1/homebrew-website-club-sf -
San Francisco, California • Tue, January 22, 2019 6:00pm
-
at NovelaSan Francisco, California • Tue, January 22, 2019 5:12pm
-
... now you've got 2^128 problems
-
alianora
https://cybre.space/@nightpool
•
Jan 23
@aaronpk I agree, but there's a whole section on "HTTPS requests can be intercepted from mobile apps" that most developers will just ignore because they believe they Figured It Out
ah yeah fair point. i'll mention that when i do the video version of this :-) -
alianora
https://cybre.space/@nightpool
•
Jan 23
@aaronpk also, your blog post doesn't immediately address the pinning case—lots of mobile apps pin their certificates now (which, again, is only as secure as far as the computing platform is .....)
that solves a completely different problem (and creates new problems), but isn't related to the challenge of how to avoid embedding secrets -
you'd be surprised how much of web security is not immediately obvious to people
-
@aaronpk Heh. As we used to say at the MMORPG company I used to work at: if it's on the client, assume it's compromised.
-
If you've ever needed a link to send someone to explain why OAuth secrets aren't safe in mobile apps, I made you a thing: https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps
-
Fred Emmott
https://twitter.com/fredemmott
•
Jan 14
Does anyone have an approachable article for "don't trust the client"? Best I've found is the OAuth threat model RFC (RFC 6819), but it's a bit too long to ask others to read for a quick overview :) (not work related)
I just wrote this up since I couldn't find a good answer online! https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps
Hope it helps!
