Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jan 27, 2011

Why Facebook's social authentication fails

Just a comment on the latest blog post on security by one of the Facebook engineers.

First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would have expected them to move faster, especially after the Firesheep controversies back in October.

Then to the most controversial change — the social authentication — which raises a few questions about both the security it is supposed to add and the possible effects on Facebook users' privacy.

The security failure
Consider some malicious Trojan-writer on the other side of the earth, trying to log into your Facebook account with your newly stolen password. Matching the pictures and the names presented in the social authentication should constitute a real challenge. It doesn't! Launching a google search for the suggested names, narrowed down to the Facebook site will reveal..... You guessed it! A picture of the person!
Social authentication illustrated

Jan 24, 2011

How to give IIS access to private keys

If one of your ASP.NET applications need to access to a certificate from the certificate store along with its private key, you'll probably run into trouble. The private key is saved in a special file with an unguessable name. It's not readable for everyone (for obvious reasons). The lack of file access is not very intuitive, as you can see the certificate in the Certificate MMC snap-in, and it will claim that "this certificate has a corresponding private key". You'll still have to give the application pool's user read access to the key.


There are some differences in how to do this for the 2008 R2 and the 2003 server, here's a short explanation and some useful resources for both versions.

Jan 17, 2011

Facebook privacy bug: Your likes are leaked

I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a Google search and see for yourself — if you've disabled "Public Search" for your profile that is:

site:facebook.com "Your name here"

Why is this problematic? Well, I have set my Facebook profile to not be enabled for public search. Hence, my Facebook profile does not show up in Google's search results.

Jan 13, 2011

Google unreachable, a rare occasion

Well, when I have trouble reaching particular websites I often check whether Google works — to verify that my Internet connection is working ok. The assumption: Google is always online.

However, just now:

And yes, for once I was able to reach all other websites I tried, it was just Google that was out. This is a rare situation, so I just had to take a screenshot and share the moment. I might never see one of these again ;)

Jan 11, 2011

NewTwitter not working with Safari's private mode

A couple of days ago I tweeted that I had trouble with NewTwitter. It turns out that Twitter does not work correctly with Safari in "Private mode." At the time, only the top bar would load, no other content was visible in my browser. After switching off the private mode, Twitter yet again worked as expected. Even after turning private mode back on. This meant that I was unable to reproduce the problem.

Today, new problems. This time, the timeline of other users does not load. I get to see their profile, but without the timeline. My own timeline works just fine. Checking with Burp, and comparing with a page load without private mode, I'm able to verify that there's no request for the timeline. Checking the error console reveals the following:


What a strange error message:

QUOTA_EXCEEDED_ERR: DOM Exception 22: An attempt was made to add something to storage that exceeded the quota.

Some investigation reveled that this is an HTML 5 feature, as usual there were clues at stackoverflow.
When turning off private browsing, everything's fine, there are no errors reported.

Checking the localStorage W3 documentation gives me a strong feeling that Safari denies local storage when in private mode, and instead should have thrown a SECURITY_ERR exception (not that it matters to most end users).

I'm not sure who's creating the problem here, Safari or Twitter. I'll send the issue to Apple and Twitter. If I get a response I'll update this post.

Update 19 jan.: Twitter responded to my e-mail just now, they promised to fix the issue. Good stuff.

Terminal services manager and Windows 7

I just found out that Terminal services manager does not exist in Windows 7. But fear not, the Remote Desktop Services Manager will do the trick. It is included in the Remote Server Administration Tools for Windows 7, which can be downloaded from here.

After some serious googling, I was also able to figure out how to actually enable the feature, in "Programs and Features", "Turn Windows Features on or off":

Go to "Remote Server Administation Tools", "Role Administration Tools", and enable "Remote Desktop Services Tools".


There! Now you'll find the Remote Desktop Services Manager in your start menu — and can start kicking out stale remote desktop connections from your servers. :)

Jan 6, 2011

Customized .Net configuration the easy way

I stumbled across a great series of articles on how the .Net configuration features can be used:

Unraveling the Mysteries of .NET 2.0 Configuration by Jon Rista.

You'll find the MDSN documentation for System.Configuration here.

I've started creating my own configuration sections and they yield several advantages:
  • No XML parsing
  • No more misuse of appsettings
  • Extremely readable code
  • Easy validation of configuration values
  • Understandable error messages for configuration errors
So check out Rista's series of articles and start creating more robust and understandable custom configuration code!

Jan 1, 2011

Some Azure signup challenges

Yesterday I blogged that MSDN subscribers got an Azure subscription for free. Today, I decided to activate an Azure subscription and take the first small steps into the cloud.

The ancient browser problem
I've been using Opera as my primary browser for more than ten years now. Why am I telling you this? Well, during the signup process for the Azure subscription:
Oh, the horror. I can't remember the last time I had to tell Opera to identify as another browser. Fortunately, under "Site Preferences" I could tell Opera to "Mask as Firefox" and it was all well... Come on guys. It's the year 2011. I cannot believe that this should still be a problem.

A more modern browser problem
But I hadn't left the rough patch just yet.

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts