I'm currently working on a small project that allows users with
multiple Twitter accounts to keep all of their accounts in one spot -
and then just select a particular account that they wish to send a
message to. I have a few Twitter accounts for individual projects, and
this is a lot easier to do than logging out and back in for each
individual account - however, I am struggling with how to store a
user's Twitter credentials in a secure manner while still being able
to use the API.
Has anyone come up with a solution to this problem?
Very interested in this as well. Would storing the authentication info in secure cookies be a reasonable method? That way you don't have to worry about security on your end in case something happened.
On Thu, Jul 17, 2008 at 2:52 PM, girasquid <hybrid.ba...@gmail.com> wrote:
> Hello, all.
> I'm currently working on a small project that allows users with > multiple Twitter accounts to keep all of their accounts in one spot - > and then just select a particular account that they wish to send a > message to. I have a few Twitter accounts for individual projects, and > this is a lot easier to do than logging out and back in for each > individual account - however, I am struggling with how to store a > user's Twitter credentials in a secure manner while still being able > to use the API.
> Has anyone come up with a solution to this problem?
Secure cookies sounds like an interesting idea - but I'm not quite
sure how to implement that. How do I make sure that a cookie is
'secure', as compared to a regular cookie?
If I understand correctly, this would make it so that the first time
users used my service, they would need to log in with each of their
accounts - thus setting their cookie. Once the cookie was set, they'd
be good to go - although once the cookie disappeared, they would need
to re-authenticate the accounts that had lost their cookies. Am I
correct in assuming that this is how it works?
On Jul 18, 12:03 am, "Derek Gathright" <drg...@gmail.com> wrote:
> Very interested in this as well. Would storing the authentication info in
> secure cookies be a reasonable method? That way you don't have to worry
> about security on your end in case something happened.
> On Thu, Jul 17, 2008 at 2:52 PM, girasquid <hybrid.ba...@gmail.com> wrote:
> > Hello, all.
> > I'm currently working on a small project that allows users with
> > multiple Twitter accounts to keep all of their accounts in one spot -
> > and then just select a particular account that they wish to send a
> > message to. I have a few Twitter accounts for individual projects, and
> > this is a lot easier to do than logging out and back in for each
> > individual account - however, I am struggling with how to store a
> > user's Twitter credentials in a secure manner while still being able
> > to use the API.
> > Has anyone come up with a solution to this problem?
You need to encrypt the data inside the cookie securely. How exactly to do this varies a bit based on your tech.
I'm generally not an advocate of putting any private data inside a cookie, encrypted or not. On the other hand, I also wouldn't want to put my login data for Twitter on another site, so hey.
On Fri, Jul 18, 2008 at 11:55 AM, girasquid <hybrid.ba...@gmail.com> wrote:
> Secure cookies sounds like an interesting idea - but I'm not quite > sure how to implement that. How do I make sure that a cookie is > 'secure', as compared to a regular cookie?
> If I understand correctly, this would make it so that the first time > users used my service, they would need to log in with each of their > accounts - thus setting their cookie. Once the cookie was set, they'd > be good to go - although once the cookie disappeared, they would need > to re-authenticate the accounts that had lost their cookies. Am I > correct in assuming that this is how it works?
> On Jul 18, 12:03 am, "Derek Gathright" <drg...@gmail.com> wrote: >> Very interested in this as well. Would storing the authentication info in >> secure cookies be a reasonable method? That way you don't have to worry >> about security on your end in case something happened.
>> On Thu, Jul 17, 2008 at 2:52 PM, girasquid <hybrid.ba...@gmail.com> wrote:
>> > Hello, all.
>> > I'm currently working on a small project that allows users with >> > multiple Twitter accounts to keep all of their accounts in one spot - >> > and then just select a particular account that they wish to send a >> > message to. I have a few Twitter accounts for individual projects, and >> > this is a lot easier to do than logging out and back in for each >> > individual account - however, I am struggling with how to store a >> > user's Twitter credentials in a secure manner while still being able >> > to use the API.
>> > Has anyone come up with a solution to this problem?
Yes - storing the data into a cookie, hashed or otherwise, doesn't
strike me as the best idea - but I'm not quite sure as to what would
be a better approach.
Do you know of one?
This project was originally created for personal use, as I have a few
Twitter accounts for different projects that I need to handle - I
figured that I might as well make it available to anyone else it might
be useful for as well.
On Jul 18, 11:42 am, "Ed Finkler" <funkat...@gmail.com> wrote:
> You need to encrypt the data inside the cookie securely. How exactly
> to do this varies a bit based on your tech.
> I'm generally not an advocate of putting any private data inside a
> cookie, encrypted or not. On the other hand, I also wouldn't want to
> put my login data for Twitter on another site, so hey.
> On Fri, Jul 18, 2008 at 11:55 AM, girasquid <hybrid.ba...@gmail.com> wrote:
> > Secure cookies sounds like an interesting idea - but I'm not quite
> > sure how to implement that. How do I make sure that a cookie is
> > 'secure', as compared to a regular cookie?
> > If I understand correctly, this would make it so that the first time
> > users used my service, they would need to log in with each of their
> > accounts - thus setting their cookie. Once the cookie was set, they'd
> > be good to go - although once the cookie disappeared, they would need
> > to re-authenticate the accounts that had lost their cookies. Am I
> > correct in assuming that this is how it works?
> > On Jul 18, 12:03 am, "Derek Gathright" <drg...@gmail.com> wrote:
> >> Very interested in this as well. Would storing the authentication info in
> >> secure cookies be a reasonable method? That way you don't have to worry
> >> about security on your end in case something happened.
> >> On Thu, Jul 17, 2008 at 2:52 PM, girasquid <hybrid.ba...@gmail.com> wrote:
> >> > Hello, all.
> >> > I'm currently working on a small project that allows users with
> >> > multiple Twitter accounts to keep all of their accounts in one spot -
> >> > and then just select a particular account that they wish to send a
> >> > message to. I have a few Twitter accounts for individual projects, and
> >> > this is a lot easier to do than logging out and back in for each
> >> > individual account - however, I am struggling with how to store a
> >> > user's Twitter credentials in a secure manner while still being able
> >> > to use the API.
> >> > Has anyone come up with a solution to this problem?
On Fri, Jul 18, 2008 at 3:14 PM, girasquid <hybrid.ba...@gmail.com> wrote:
> Yes - storing the data into a cookie, hashed or otherwise, doesn't > strike me as the best idea - but I'm not quite sure as to what would > be a better approach.
> Do you know of one?
Depends on how much responsibility you want to take on. If you're releasing source code for others to host, then you really don't have any. If you want to host this service yourself, you need to be prepared to take on the role of being steward for your user's private information, which is a significant responsibility. If you are confident in your ability to do so, then storing the data server-side in a secure manner is a decent option.
If your next question is "how do I store the data securely," I can suggest some books and courses you could look into.
> This project was originally created for personal use, as I have a few > Twitter accounts for different projects that I need to handle - I > figured that I might as well make it available to anyone else it might > be useful for as well.
> On Jul 18, 11:42 am, "Ed Finkler" <funkat...@gmail.com> wrote: >> You need to encrypt the data inside the cookie securely. How exactly >> to do this varies a bit based on your tech.
>> I'm generally not an advocate of putting any private data inside a >> cookie, encrypted or not. On the other hand, I also wouldn't want to >> put my login data for Twitter on another site, so hey.
>> On Fri, Jul 18, 2008 at 11:55 AM, girasquid <hybrid.ba...@gmail.com> wrote:
>> > Secure cookies sounds like an interesting idea - but I'm not quite >> > sure how to implement that. How do I make sure that a cookie is >> > 'secure', as compared to a regular cookie?
>> > If I understand correctly, this would make it so that the first time >> > users used my service, they would need to log in with each of their >> > accounts - thus setting their cookie. Once the cookie was set, they'd >> > be good to go - although once the cookie disappeared, they would need >> > to re-authenticate the accounts that had lost their cookies. Am I >> > correct in assuming that this is how it works?
>> > On Jul 18, 12:03 am, "Derek Gathright" <drg...@gmail.com> wrote: >> >> Very interested in this as well. Would storing the authentication info in >> >> secure cookies be a reasonable method? That way you don't have to worry >> >> about security on your end in case something happened.
>> >> On Thu, Jul 17, 2008 at 2:52 PM, girasquid <hybrid.ba...@gmail.com> wrote:
>> >> > Hello, all.
>> >> > I'm currently working on a small project that allows users with >> >> > multiple Twitter accounts to keep all of their accounts in one spot - >> >> > and then just select a particular account that they wish to send a >> >> > message to. I have a few Twitter accounts for individual projects, and >> >> > this is a lot easier to do than logging out and back in for each >> >> > individual account - however, I am struggling with how to store a >> >> > user's Twitter credentials in a secure manner while still being able >> >> > to use the API.
>> >> > Has anyone come up with a solution to this problem?
Currently, I'm using a MySQL database, within the context of a Ruby on
Rails app - however, the main issue that I've been struggling with is
how to store Twitter credentials in a secure manner that's still
usable. They need to be in plaintext(or something I can change into
plaintext), because there doesn't seem to be a way to communicate with
the Twitter API securely - which means storing them hashed is out of
the question.
Storing only the Base64 encoding was an option, but isn't any more
secure than storing plaintexts - anything encrypted can be decrypted.
As far as I'm aware, there aren't any SQL Injection
vulnerabilities(not doing any direct variable interpolation; the
framework apparently handles escaping when you use built-ins), and my
MySQL server only allows connections from certain trusted areas -
meaning your average outside attacker wouldn't be able to get access
without having access to the box first.
With that being said, I'm stuck - at the moment, because it's only on
my development system, I'm storing things plaintext - but I know that
if/when I deploy the app, if anyone other than myself decides to use
it I will need something much more secure than that.
If you've got any suggestions, please let me know!
Luke
On Jul 18, 3:43 pm, "Ed Finkler" <funkat...@gmail.com> wrote:
> On Fri, Jul 18, 2008 at 3:14 PM, girasquid <hybrid.ba...@gmail.com> wrote:
> > Yes - storing the data into a cookie, hashed or otherwise, doesn't
> > strike me as the best idea - but I'm not quite sure as to what would
> > be a better approach.
> > Do you know of one?
> Depends on how much responsibility you want to take on. If you're
> releasing source code for others to host, then you really don't have
> any. If you want to host this service yourself, you need to be
> prepared to take on the role of being steward for your user's private
> information, which is a significant responsibility. If you are
> confident in your ability to do so, then storing the data server-side
> in a secure manner is a decent option.
> If your next question is "how do I store the data securely," I can
> suggest some books and courses you could look into.
> > This project was originally created for personal use, as I have a few
> > Twitter accounts for different projects that I need to handle - I
> > figured that I might as well make it available to anyone else it might
> > be useful for as well.
> > On Jul 18, 11:42 am, "Ed Finkler" <funkat...@gmail.com> wrote:
> >> You need to encrypt the data inside the cookie securely. How exactly
> >> to do this varies a bit based on your tech.
> >> I'm generally not an advocate of putting any private data inside a
> >> cookie, encrypted or not. On the other hand, I also wouldn't want to
> >> put my login data for Twitter on another site, so hey.
> >> On Fri, Jul 18, 2008 at 11:55 AM, girasquid <hybrid.ba...@gmail.com> wrote:
> >> > Secure cookies sounds like an interesting idea - but I'm not quite
> >> > sure how to implement that. How do I make sure that a cookie is
> >> > 'secure', as compared to a regular cookie?
> >> > If I understand correctly, this would make it so that the first time
> >> > users used my service, they would need to log in with each of their
> >> > accounts - thus setting their cookie. Once the cookie was set, they'd
> >> > be good to go - although once the cookie disappeared, they would need
> >> > to re-authenticate the accounts that had lost their cookies. Am I
> >> > correct in assuming that this is how it works?
> >> > On Jul 18, 12:03 am, "Derek Gathright" <drg...@gmail.com> wrote:
> >> >> Very interested in this as well. Would storing the authentication info in
> >> >> secure cookies be a reasonable method? That way you don't have to worry
> >> >> about security on your end in case something happened.
> >> >> On Thu, Jul 17, 2008 at 2:52 PM, girasquid <hybrid.ba...@gmail.com> wrote:
> >> >> > Hello, all.
> >> >> > I'm currently working on a small project that allows users with
> >> >> > multiple Twitter accounts to keep all of their accounts in one spot -
> >> >> > and then just select a particular account that they wish to send a
> >> >> > message to. I have a few Twitter accounts for individual projects, and
> >> >> > this is a lot easier to do than logging out and back in for each
> >> >> > individual account - however, I am struggling with how to store a
> >> >> > user's Twitter credentials in a secure manner while still being able
> >> >> > to use the API.
> >> >> > Has anyone come up with a solution to this problem?
On Jul 17, 11:03 pm, "Derek Gathright" <drg...@gmail.com> wrote:
> Very interested in this as well. Would storing the authentication info in
> secure cookies be a reasonable method? That way you don't have to worry
> about security on your end in case something happened.
Storing the credentials in a cookie is not a general solution.
For example, the protocol I'm using for my application doesn't have
a cookie concept.
Ideally, you want some kind of token auth and app usage tracking and
potentially delegated capabilities. My app can post messages, read
direct messages and do a few other things. Users do different things
with the app, so it's nice if the user can just tell twitter not to
allow my app to post if they don't trust me.
On Jul 18, 3:23 pm, girasquid <hybrid.ba...@gmail.com> wrote:
> Storing only the Base64 encoding was an option, but isn't any more
> secure than storing plaintexts - anything encrypted can be decrypted.
Right, the password thing is wrong. Twitter's API documentation
states that they're looking for a way to make it more secure.
That said, I agree that there's not a lot you can do with encryption
here. If digest auth were an option, you could actually meet in the
middle somewhat, since the first half of the authentication can be
stored in a way that isn't reversible, but it's still not quite right.
In the meantime, I used base64. I'm not doing it to make it secure
against any sort of attack. I lose if if someone gets my database.
However, when *I'm* looking at the database, I don't see people's
passwords. There are things I just don't want to know about people.
I'm building an app that would also need to store the users
credentials.
What about encrypting them with something like a server certificate?
Might be a little overkill.
Then you'd decrypt them just before executing a command.
Another idea might be for the user to supply login details plus an
extra password.
You encrypt the credentials with the extra password (which is not
stored anywhere).
This way when the user logs into your app they use the extra password
to decrypt their details.
If someone was to gain access to the server, every record in the
database would be encrypted with a different key making it practically
impossible to extract useful data.
Ideally I think a solution similar to what both facebook and flickr do
would be best.
