- Commercial quantum crypto thoroughly hacked with lasers, Slashdot
- Microsoft fix for DLL vulnerability, Krebs on Security
- Microsoft tool for DLL vulnerability interferes with some applications, The H
- QuickTime flaw allows remote execution attack, The Register
- Twitter moves completely to OAuth for 3rd party apps, Web Monkey
- Fake Tweetdeck update prompts Twitter to reset passwords of compromised accounts, The Register
- Critical vulnerabilities in RealPlayer, Zero Day
- Google’s project hosting service used to host malware, Zero Day
- Questions about the security of Twitter’s OAuth implementation, Ars Technica
- Security patches for Chrome on its 2nd birthday, Zero Day
- Apple patches iTunes security flaws, Zero Day
- New malware imitates browser warning pages, Slashdot
- Data stealing bug in MSIE 8, Slashdot
- New OAuth 2.0 draft released
- TPB goes down in face of latest legal threat
- Google faces US, German regulators over WiFi data collection
- Google also faces criminal action in Germany
- And a civil suit in Oregon here in the US
- Challenge to existing Australian net censorship
- Judge orders schools to notify families of webcam photos taken
- Software used for school webcam spying contains massive security hole
- A chance to act on ACTA
- Obama still supports ACTA
- Theora development continues now that VP-8 is open source
- Free Software Foundation supports WebM video standard
- Theora project founder supports WebM, VP-8
Ryan Paul has a good expansion at Ars of an O’Reilly Radar piece I noticed a little while back. Ryan backs up a bit to give a background on existing authentication systems and the problems inherent in using them effectively on the web. He then charts out the current and future versions of OAuth on a trajectory starting with addressing what he describes as the password anti-pattern on through streamlining this potentially more secure scheme into the same sort of simplicity HTTP’s native authentication schemes enjoy.
Part of how the stop-gap OAuth WRAP achieves its streamlining is by pushing encryption to lower down in the stack, taking advantage of the tried and true SSL/TLS commonly available on most web servers. Ryan provides some more links to supplement David Recordon’s explanation of this stop-gap solution to OAuth’s complexity. WRAP is meant to serve in the meantime as the various stakeholders work on the 2.0 version of OAuth in cooperation with the IETF.
Ryan Paul has some decent coding chops under his belt, in addition to working as a tech journalist. I enjoy his detailed coverage, like this article, of new and updated technologies from the perspective of the hacker struggling to use them. If he is optimistic about WRAP and OAUth 2.0, I think there is genuine cause to look forward to future developments.
David Recordon has a good state of OAuth post on O’Reilly Radar which he developed with Chris Messina, Dick Hardt and Eran Hammer-Lahav, leading lights in Identity 2.0 all. He clarifies some of the recent concerns over the authentication system as well as tours recent developments and the roadmap ahead.
In particular, the development of OAuth WRAP sounds like the solid sort of grok-and-simplify step that is critical to the maturation not just of a technology but of a specification. Streamlining is key to further pressing adoption and in this case driving up the median security of cooperating web applications.
David and company clearly understand this, given how it clearly informs the incremental progress through WRAP on into the spin up of version 2.0. Here’s to more and better OAuth in 2010.