[OpenSocial] Re: Are all parameters signed?
Quite needed pattern. Thanks a lot! Sanjay --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~--~~~~--~~--~--~---
[OpenSocial] Re: Are all parameters signed?
Yes, I would not use makeRequest to transmit credit card information - your best bet is to open an iframe to a https-protected payment form. You can use makeRequest to establish a session, though. Basically, do a signed makeRequest call to http://yoursite.com/getsession which should validate the signed makeRequest call, create a new session and store the viewer_id in the session, and return the session ID number. Then open an iframe or popup to http*s*://yoursite.com/ payments?session_id= to let the user input payment. Make sure that the session is fairly short lived, though (you may want to return a one time use token identifying the session, instead of the session id itself). ~Arne On Mar 10, 6:37 am, Sanjay wrote: > > So for sensitive information like credit card details, using https is still > > required since you don't only want to make sure it hasn't been changed in > > transit, you also want to make sure no one can read it, which is what https > > gives you. > > A vital input for me. Thanks a lot! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~--~~~~--~~--~--~---
[OpenSocial] Re: Are all parameters signed?
> So for sensitive information like credit card details, using https is still > required since you don't only want to make sure it hasn't been changed in > transit, you also want to make sure no one can read it, which is what https > gives you. A vital input for me. Thanks a lot! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~--~~~~--~~--~--~---
[OpenSocial] Re: Are all parameters signed?
The OAuth signature gives you the security that the request hasn't been tampered with in transit (so called man-in-the-middle attacks). However it doesn't encrypt the data it is sending. So for sensitive information like credit card details, using https is still required since you don't only want to make sure it hasn't been changed in transit, you also want to make sure no one can read it, which is what https gives you. -- Chris On Tue, Mar 10, 2009 at 9:16 AM, Sanjay Patel wrote: > Hi Arne, > > Thanks a lot for this vital input. > > This is a great question. Technically, the entire request url and >> post body are signed. You can verify that any parameters in the >> request are exactly what was passed to the container via the >> makeRequest call, or added by the container itself. > > > Does this mean that credit card etc. can be safely sent using Signed > Request mechanism, and we don't need to use HTTPS url as we do in normal > websites? > > thanks, > Sanjay > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~--~~~~--~~--~--~---
[OpenSocial] Re: Are all parameters signed?
Hi Arne, Thanks a lot for this vital input. This is a great question. Technically, the entire request url and > post body are signed. You can verify that any parameters in the > request are exactly what was passed to the container via the > makeRequest call, or added by the container itself. Does this mean that credit card etc. can be safely sent using Signed Request mechanism, and we don't need to use HTTPS url as we do in normal websites? thanks, Sanjay --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~--~~~~--~~--~--~---
[OpenSocial] Re: Are all parameters signed?
Hi Sanjay, This is a great question. Technically, the entire request url and post body are signed. You can verify that any parameters in the request are exactly what was passed to the container via the makeRequest call, or added by the container itself. However, you cannot verify whether the user was tampering with values that were passed to the makeRequest call, since the user will have full control over the JavaScript running on their machine. To use DB's example, say you want to post a "score" parameter in a makeRequest call - the container will accept this parameter and sign it, but since the container has no idea of what the correct value of "score" should be (since this is determined by your application) it will accept all values as valid. Essentially, you are trusting the user to send you correct values for any inputs passed to the makeRequest call. There are some values which the user cannot fake, however, because they are inserted by the container. These values are: opensocial_owner_id opensocial_app_url Optionally, the container may add the following: opensocial_viewer_id opensocial_instance_id opensocial_app_id xoauth_public_key You can trust any of these values in a valid signed request. For more information, check out http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests which has a description of each property. Hope this helps, ~Arne http://wiki.opensocial.org/index.php?title=Introduction_To_Signed_Requests On Mar 6, 1:51 am, Sanjay wrote: > Hi, > > A novice curosity. While a signed request is sent, which of the > parameters are signed? > > A. only viewer_id > B. only viewer_id, owner_id (what else?) > C. all the parameters, including the custom ones sent by the > application > > thanks, > Sanjay --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~--~~~~--~~--~--~---
[OpenSocial] Re: Are all parameters signed?
Hi Sanjay, I posted a somewhat-related question here: http://groups.google.com/group/opensocial-api/browse_thread/thread/82c34080cd8b57a9/ccf0e8dcb1738aeb?hl=en#ccf0e8dcb1738aeb. The link I referenced suggests at the bottom of the page that it would be option B. I presume the parameters in bold there are all signed and can be trusted. My question was more along the lines of how do you prevent OTHER parameters from being tampered with (as in your option C). I got no response but I just don't see what's to prevent your own app's parameters from being altered just before they're sent. Anything you do at the client is visible to an attacker. DB On Mar 6, 3:51 am, Sanjay wrote: > Hi, > > A novice curosity. While a signed request is sent, which of the > parameters are signed? > > A. only viewer_id > B. only viewer_id, owner_id (what else?) > C. all the parameters, including the custom ones sent by the > application > > thanks, > Sanjay --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~--~~~~--~~--~--~---