169
edits
CloudServices/Notifications/Meetings/2011-03-03-Crypto: Difference between revisions
CloudServices/Notifications/Meetings/2011-03-03-Crypto (view source)
Revision as of 21:32, 4 March 2011
, 4 March 2011→Problems and Solutions
| Line 2: | Line 2: | ||
== Problems and Solutions == | == Problems and Solutions == | ||
* ''Problem'': Can still infer where notifications are coming from using reverse DNS lookup | * '''Problem''': Can still infer where notifications are coming from using reverse DNS lookup | ||
** ''Solution'': Users can run their own server if this is a serious concern | ** '''Solution''': Users can run their own server if this is a serious concern | ||
* ''Problem'': ( | * '''Problem''': (''Social Attack'') Consider the following -- you are logged in to Facebook on a friend's computer. You leave the computer and your friend registers for notifications on their computer with you still signed in. Result: your friend now receives all notifications intended to be sent to you. | ||
** ''Solution'': Recommend web apps keep track of subscriptions so users are made aware of them. Web apps can also use email confirmation if security is absolutely necessary. | ** '''Solution''': Recommend web apps keep track of subscriptions so users are made aware of them. Web apps can also use email confirmation if security is absolutely necessary. | ||
* ''Problem'': Service providers (i.e. web apps) will want to be sure that decryption keys are securely stored on the client. | * '''Problem''': Service providers (i.e. web apps) will want to be sure that decryption keys are securely stored on the client. | ||
** ''Solution'': Seems to be more of an OS problem. Should use a keychain to store keys if available. If someone has access to your computer you're hosed anyway. | ** '''Solution''': Seems to be more of an OS problem. Should use a keychain to store keys if available. If someone has access to your computer you're hosed anyway. | ||
== Recommendations == | == Recommendations == | ||