Profile cover photo
Profile photo
Shane Carr
Software Engineer at Google and recent graduate of WUSTL
Software Engineer at Google and recent graduate of WUSTL
About
Posts

Post has attachment
Rolling your own JavaScript code is still something you should do if you care about the end user's experience.

Post has attachment
Add a comment...

Post has attachment

Post has attachment

Post has attachment
Google is the first major identity provider to abandon OpenID 2.0 and jump aboard the bandwagon known as OpenID Connect.

#OpenID 2.0 is user-centric: customers can use their choice of OpenID provider to sign in to any application that supports the protocol.

OpenID Connect, the "new and improved" specification from the OpenID foundation, is fundamentally different: applications now need to register themselves with their chosen subset of OpenID Connect providers (to obtain OAuth credentials), and users of that application can sign in using one of only that small subset of providers.

This link is one of the earliest articles written about OpenID Connect.  It introduces the ideas of "Discovery" and "Dynamic Registration", by which applications can automatically obtain OAuth credentials for the user's chosen provider.  However, the specification makes it optional for providers to support  Discovery and Dynamic Registration, and currently I'm not aware of any providers or client libraries that implement these protocols.

I loved OpenID 2.0.  The movement to OpenID Connect takes the power away from both users and from application developers (not to mention the smaller identity providers) and gives it all to the biggest identity providers on the scene.

Google is the first major identity provider to drop support for OpenID 2.0.  Application developers who chose to use OpenID 2.0 have a decision to make: do you force your users to switch to a different OpenID 2.0 provider, or do you register your application with Google and provide support for OpenID Connect?  The hard deadline is April 20 of this year.

Does your application use OpenID 2.0?  What is your reaction to Google's dropping support for the protocol?  What are you going to do, if anything, to help transition those users who entrusted your site with Google OpenID 2.0?

Post has attachment
Good article from the New Yorker about Heartbleed.

"OpenSSL, which is used to secure as many as two-thirds of all encrypted Internet connections, is a volunteer project. It is overseen by four people: one works for the open-source software company Red Hat, one works for Google, and two are consultants. There is nobody whose full-time job it is to work on OpenSSL. … Money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts."

Post has attachment

Post has attachment
Critical security vulnerability in OpenSSL, named Heartbleed!  This is a big deal since OpenSSL basically powers all of open-source SSL web sites.  I just upgraded OpenSSL on all my servers; you should probably do the same!

CentOS: https://www.centos.org/forums/viewtopic.php?f=9&t=45814 Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/

Post has attachment
ShowMeCon. The name says it all. Known as the Show Me State, Missouri is home to St. Louis-based ethical hacking firm, Parameter Security, and security training company, Hacker University. Together, they are bringing you a one-of-a-kind event that will Show You the State of security from a unique perspective – the hacker’s viewpoint.

Great opportunity for WUSTL CSE students who don't have finals in the second week!  I'll be going.

#hacking #conference
Add a comment...
Wait while more posts are being loaded