Aaron Parecki

Darius Kazemi https://friend.camp/@darius • Jan 23
Tomorrow I go to San Francisco for a few days. Then home for a week. Then back to San Francisco for a week

Come to home brew website club tomorrow night! I will hopefully be there too! http://tantek.com/2019/023/e1/homebrew-website-club-sf

San Francisco, California • 57°F

1 like 1 reply

Tue, Jan 22, 2019 6:19pm -08:00
Soni L. https://cybre.space/@SoniEx2 • Jan 23
@aaronpk idea:
... don't use oauth?

... now you've got 2^128 problems

San Francisco, California • 60°F

Tue, Jan 22, 2019 4:45pm -08:00
alianora https://cybre.space/@nightpool • Jan 23
@aaronpk I agree, but there's a whole section on "HTTPS requests can be intercepted from mobile apps" that most developers will just ignore because they believe they Figured It Out

ah yeah fair point. i'll mention that when i do the video version of this :-)

San Francisco, California • 59°F

Tue, Jan 22, 2019 4:41pm -08:00
alianora https://cybre.space/@nightpool • Jan 23
@aaronpk also, your blog post doesn't immediately address the pinning case—lots of mobile apps pin their certificates now (which, again, is only as secure as far as the computing platform is .....)

that solves a completely different problem (and creates new problems), but isn't related to the challenge of how to avoid embedding secrets

San Francisco, California • 59°F

1 reply

Tue, Jan 22, 2019 4:38pm -08:00
alianora https://cybre.space/@nightpool • Jan 23
@aaronpk ....... who would ever assume this

you'd be surprised how much of web security is not immediately obvious to people

San Francisco, California • 59°F

1 reply

Tue, Jan 22, 2019 4:33pm -08:00
Fred Emmott https://twitter.com/fredemmott • Jan 14
Does anyone have an approachable article for "don't trust the client"? Best I've found is the OAuth threat model RFC (RFC 6819), but it's a bit too long to ask others to read for a quick overview :) (not work related)

I just wrote this up since I couldn't find a good answer online! https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps

Hope it helps!

San Francisco, California, USA • 69°F

1 like 1 repost

Tue, Jan 22, 2019 3:47pm -08:00
Vincent Pickering https://twitter.com/vincentlistens • Jan 22
Or Is it just that it only holds on to a fixed number of mentions?

Even though my site uses webmention.io as its endpoint, I use the web hooks to push all the responses to my site where it stores its own copy of them.

San Francisco, California, USA • 59°F

1 like

Tue, Jan 22, 2019 1:32pm -08:00
Vincent Pickering https://twitter.com/vincentlistens • Jan 22
Or Is it just that it only holds on to a fixed number of mentions?

Neither. The dashboard only shows the latest few, but that's just me being lazy and not giving you a UI to page through older ones. It stores them all forever, and I have no plans to delete old ones there.

But you're right that you should copy that data to your own site somehow!

San Francisco, California, USA • 59°F

1 like

Tue, Jan 22, 2019 1:31pm -08:00
John Kary https://twitter.com/johnkary • Jan 19
Is there an authentication provider besides “Login with Facebook” or “Login with Google” that isn’t tied to a large social network?

Basically a single place to setup a username/password and use it to login across the internet.

That's basically the idea with https://indieauth.net to let you bring you own identity and authentication mechanism when logging in to sites. There's a fair number of providers and support for it but nothing at the scale of Facebook yet.

Portland, Oregon, USA • 42°F

4 likes 1 repost

Sat, Jan 19, 2019 9:12am -08:00
RianVDM https://micro.blog/RianVDM • Jan 17
@aaronpk No, unfortunately not. I can post text-only without issues, but when I try to add a photo, this error happens.

hmm, that library is definitely supposed to support that, so try posting an issue there. I'm not sure what's going on, maybe something with a proxy before the node app?

San Jose, California • 55°F

1 reply

Thu, Jan 17, 2019 9:57am -08:00
RianVDM https://micro.blog/RianVDM • Jan 17
@aaronpk Hey Aaron, random question about Quill (hope that's ok). I use Jekyll + Github Pages + webpage-micropub-to-github to add a micropub endpoint to that. But that micropub endpoint doesn't have support for a media endpoint yet, so I can't use native photo publishing from Quill. I'm wondering if you're aware of anyone who has found a workaround for that issue? Thanks!

Quill should fall back to uploading files directly to the Micropub endpoint if it doesn't find a media endpoint. Is that not working?

San Jose, California • 55°F

3 replies

Thu, Jan 17, 2019 9:11am -08:00
Tristan 🍚 https://twitter.com/twaddington • Jan 17
What

that's... not what oreo means

San Jose, California, USA • 57°F

Wed, Jan 16, 2019 8:41pm -08:00
Fred Emmott https://twitter.com/fredemmott • Jan 14
ooh, the Google link is at least helpful for "look, I'm not crazy, Google don't trust client secrets on Windows" :)

oh you're definitely not crazy, I just sometimes forget that not everybody already knows this :-) Most of what I've written on this starts with the assumption that the reader already knows mobile apps can't keep secrets.

Portland, Oregon • 39°F

Mon, Jan 14, 2019 10:09am -08:00
Fred Emmott https://twitter.com/fredemmott • Jan 14
Does anyone have an approachable article for "don't trust the client"? Best I've found is the OAuth threat model RFC (RFC 6819), but it's a bit too long to ask others to read for a quick overview :) (not work related)

Good question. If you find anything, let me know and I can add a link to it on https://oauth.net/2/native-apps/

Portland, Oregon, USA • 39°F

1 reply

Mon, Jan 14, 2019 10:00am -08:00
Paul Anthony Williams 🎺 https://twitter.com/PaulAntWilliams • Jan 12
Guessing from the header image... was, ironically, the article about Google surveillance?

Yes

Portland, Oregon • 44°F

9 likes 1 reply

Fri, Jan 11, 2019 8:58pm -08:00
Matt Lee https://twitter.com/mattl • Jan 11
Time for a cocktail then.

Guess this means the weekend comes early! 🍸

Portland, Oregon • 45°F

2 likes

Fri, Jan 11, 2019 1:13pm -08:00
Matt Lee https://twitter.com/mattl • Jan 11
Command + Control + Power Button -- someone who crashes these computers a lot.

Of course this is while I'm using an external keyboard (with no power button) and my laptop is closed and neatly tucked under the desk.

Portland, Oregon • 45°F

2 replies

Fri, Jan 11, 2019 1:09pm -08:00
Chris https://twitter.com/crslng • Jan 11
3rd row up from the bottom

Turns out it was 4th from the bottom. Bottom is "Log Out", then "Lock Screen", then "Shut Down", then "Restart"

Portland, Oregon • 45°F

1 like 1 reply

Fri, Jan 11, 2019 1:08pm -08:00
They call me Rick 😎 https://cybre.space/@rick_777 • Jan 11
@aaronpk
It's usually the bottom one.

Bottom is "Log Out", then "Lock Screen", then "Shut Down", then "Restart"

Portland, Oregon • 45°F

Fri, Jan 11, 2019 1:08pm -08:00
sknebel https://github.com/sknebel • Jan 10

#37 Show links from <dfn> in chat response?

I think this would be a good idea.

In order for that to be possible, I'd need the URL available as a Microformat property, since that's how Loqi gets the definitions right now.

Currently the wiki page's URL is the h-entry url, which makes sense. Maybe the linked URL could be a second url property in the h-entry? Loqi could look for the first URL that is not on indieweb.org when creating the message.

Ultimately I think this would have to be done by the wiki plugin that creates the <dfn> tag (https://github.com/aaronpk/mediawiki-mf2-dfn) or manually for the wiki pages that override the plugin.

Portland, Oregon • 44°F

Thu, Jan 10, 2019 7:39am -08:00

older

Aaron Parecki

#37 Show links from <dfn> in chat response?