Unhosted Storage -- using Security by Obscurity
12 views
Skip to first unread message
Melvin Carvalho
Oct 4, 2012, 6:39:08 AM10/4/12
to unhosted
Given that unhosted apps are now about various ways to write client side apps (of which remotestorage is one) , I was thinking about a very easy pattern to store data on your own storage device
1) The storage should have CORS, GET, PUT enabled
2) The storage should be in an unguessable location that you know
This could in theory be something on your own device, on an amazon s3 bucket, a freedombox, dropbox, ubuntu one etc.
So to save your data you simply PUT data to this unguessable location, benefiting by security by obscurity
To get is back you simply do a GET
The analogy here is with loading and saving a file (but on the web)
Given that you have a secure location for your data, you just need to let the app know where that is, and it can take care of storing data without the oauth and webfinger flows needed
Maybe this could be some kind of remote storage lite ... or some other name for this pattern
1) The storage should have CORS, GET, PUT enabled
2) The storage should be in an unguessable location that you know
This could in theory be something on your own device, on an amazon s3 bucket, a freedombox, dropbox, ubuntu one etc.
So to save your data you simply PUT data to this unguessable location, benefiting by security by obscurity
To get is back you simply do a GET
The analogy here is with loading and saving a file (but on the web)
Given that you have a secure location for your data, you just need to let the app know where that is, and it can take care of storing data without the oauth and webfinger flows needed
Maybe this could be some kind of remote storage lite ... or some other name for this pattern
☮ elf Pavlik ☮
Oct 4, 2012, 7:40:18 AM10/4/12
to Melvin Carvalho, unhosted
Excerpts from Melvin Carvalho's message of 2012-10-04 10:39:08 +0000:
ATM public category has no directory listing if you haven't authenticated as owner of storage, to my understanding motivated by this security bu obscurity approach...
does it serve your case or you need to make location of the whole storage obscure?
does it serve your case or you need to make location of the whole storage obscure?
Melvin Carvalho
Oct 4, 2012, 7:56:27 AM10/4/12
to ☮ elf Pavlik ☮, unhosted
Essentially yes.
But this is a generalization of the "public category" ... it's just a public resource that you own and nobody knows where it is. So you can use, say, amazon S3 for example.
Reply all
Reply to author
Forward
0 new messages