You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Yonas <yo...@gmail.com> on 2009/09/16 21:34:32 UTC
Security concerns
Hi,
According to:
http://www.techcrunch.com/2007/11/05/opensocial-hacked-again
TechCrunch reported that OpenSocial was cracked within 20 minutes of
release.
I'm thinking of using OpenSocial/Shindig for a startup company, but I
need to know how much of a security risk I'm taking. Since the gadget
will be dealing with transferal of money, I'm very sceptical of the
benefits outweighing the risk of being cracked.
I understand that OpenSocial is still growing and isn't 1.0 yet, so
maybe I should wait until then?
Cheers,
Yonas
Re: Security concerns
Posted by Yonas <yo...@gmail.com>.
Thanks, I'm a lot more confident now! :)
Y.
On Wed, 2009-09-16 at 22:23 +0200, Chris Chabot wrote:
> Hey Yonas,
>
> The situation back during the 0.5 days was that a request to a gadget's own
> back-end servers wasn't signed, hence you could easily change a url from
> ?song=foo&owner=yonas to ?song=bar&owner=chris.. thus "hacking" OpenSocial.
>
> Quickly after that initial release we've added signatures (using oauth to be
> precise, see
> http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests for
> the exact details) to these requests which cryptographically guarantee that
> a query hasn't been tampered with, so this hasn't been an issue any more for
> a very long time.
>
> As far as the 1.0 release goes, the current thinking is that that will just
> be a spec documentation fix up, so it won't be technically different from
> 0.9 in any significant ways.
>
> So I understand your concern when you have to base your business on a bit of
> unknown technology, but this platform is run in production for 800+ million
> end users by the majority of the social web, many tens of thousands
> applications and is used inside of security-critical enterprise situations,
> we've come a long long way since the initial release and that old bit of
> news really has no relevance and hasn't for a very long time already.
>
> -- Chris
>
> On Wed, Sep 16, 2009 at 9:34 PM, Yonas <yo...@gmail.com> wrote:
>
> > Hi,
> >
> > According to:
> >
> > http://www.techcrunch.com/2007/11/05/opensocial-hacked-again
> >
> > TechCrunch reported that OpenSocial was cracked within 20 minutes of
> > release.
> >
> >
> > I'm thinking of using OpenSocial/Shindig for a startup company, but I
> > need to know how much of a security risk I'm taking. Since the gadget
> > will be dealing with transferal of money, I'm very sceptical of the
> > benefits outweighing the risk of being cracked.
> >
> > I understand that OpenSocial is still growing and isn't 1.0 yet, so
> > maybe I should wait until then?
> >
> > Cheers,
> > Yonas
> >
> >
Re: Security concerns
Posted by Chris Chabot <ch...@google.com>.
Hey Yonas,
The situation back during the 0.5 days was that a request to a gadget's own
back-end servers wasn't signed, hence you could easily change a url from
?song=foo&owner=yonas to ?song=bar&owner=chris.. thus "hacking" OpenSocial.
Quickly after that initial release we've added signatures (using oauth to be
precise, see
http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests for
the exact details) to these requests which cryptographically guarantee that
a query hasn't been tampered with, so this hasn't been an issue any more for
a very long time.
As far as the 1.0 release goes, the current thinking is that that will just
be a spec documentation fix up, so it won't be technically different from
0.9 in any significant ways.
So I understand your concern when you have to base your business on a bit of
unknown technology, but this platform is run in production for 800+ million
end users by the majority of the social web, many tens of thousands
applications and is used inside of security-critical enterprise situations,
we've come a long long way since the initial release and that old bit of
news really has no relevance and hasn't for a very long time already.
-- Chris
On Wed, Sep 16, 2009 at 9:34 PM, Yonas <yo...@gmail.com> wrote:
> Hi,
>
> According to:
>
> http://www.techcrunch.com/2007/11/05/opensocial-hacked-again
>
> TechCrunch reported that OpenSocial was cracked within 20 minutes of
> release.
>
>
> I'm thinking of using OpenSocial/Shindig for a startup company, but I
> need to know how much of a security risk I'm taking. Since the gadget
> will be dealing with transferal of money, I'm very sceptical of the
> benefits outweighing the risk of being cracked.
>
> I understand that OpenSocial is still growing and isn't 1.0 yet, so
> maybe I should wait until then?
>
> Cheers,
> Yonas
>
>