lock Today I'm going to look at how not to handle user authentication in a web application, taking BeTwittered.com authenticating with Twitter as an example (sorry, guys).

BeTwittered is a simple and comfortable gadget that you can add to your site, such as your iGoogle homepage.

Since BeTwittered is just a bridge between you and Twitter, it has to first log you into your account. Here is where things go horribly, horribly wrong.

1. BeTwittered does not use SSL to secure requests to its servers

All authentication information is transmitted to BeTwittered servers in plain text and is easily sniffable by an attacker, both on your own network and outside of it. You can read more about SSL encryption here….

Read the rest of this article »

Updated: July 1st, 2010

image From time to time my, still curious, mind accumulates a variety of questions and concerns which it has to spill onto the pages of this blog. How random are these? Pretty damn random, and I need to see some answers, quick. Oh, and I’m deliberately not searching Google, as I want to facilitate discussion. What fun would it be if I just looked up all these?

Password Protected Garage Door Remotes

As a paranoid person and a recent homeowner, I started to wonder how safe I actually am in my house. Consider this likely scenario that nobody seems to be concerned with:

I park my car outside for one night and don’t take out my portable garage door remote, the

Read the rest of this article »