Category Archives: Security

FB API

I’ve recently having a look at FB (FaceBook) API for iPhone.  It really shows a lot of great examples for using the API. The SDK offers tutorials, references, documentation and helper code for calling there restful services from Object-C.  FB is providing native dialogues for sharing, profiles and friends.

Using FB as your authentication provider does make a lot of sense.  They have the infrastructure and they are more then happy to let mobile app developer use it.  I’m still trying to figure out an app to use the FB API.  Once I have something I will certainly share it with everyone.

-br

 

HTML5, iFrame Sandbox Security

The recent rise DDoS attacks are using hosting companies to deliver these attacks. Apparently hackers have been exploiting popular hosted content management applications like WordPress, iFrames specifically. If you create an iFrame and reference another site then you are trusting that this site is free of malware, cross site forgery, cross site scripting, clickjacking etc.

HTML5 offers a new security feature called sandboxing. You have 5 options:

Blank – Enforces all sandboxes restrictions

allow-same-orgin – All pages must be from the same site.

allow-top-navigation – Allows the iFrame content to navigate from the containing document.

allow-forms – Allows forms submission

allow-scripts – Allow script execution

<iframe sandbox src="frame1.html"></iframe>
<iframe sandbox="allow-forms allow-same-origin" src="frame1.html"></iframe>

 

Again it is important to keep in mind that if the browser does not support HTML5 then this attribute will be ignored. Having said that there are javascript libraries (Modernizr) that will allow the sandbox option to function.

-br

HTML5 Security

Well I’ve been learning more and more about security lately and I’m finding that one on the best defences to date is SSL V3.  If you don’t know what SSL is and your hosting a website / web app it would be a good idea to understand it throughly and implement it.  If your site require authentication, transmit sensitive data then it is mandatory.  I would not host personal information or shop on a website that does not run entirely over SSL.

Someone could be squatting on the wifi at the hotel I’m staying at and would have be able to obtain my wordpress credentials.  I would tether my iPhone5 but rogers charges extra for that.  I think once I get home and connect through my secure wifi I will change my credentials.

I know you most likely noticed the this site is not running over SSL.  This will change very soon once my web hosting provider gets me setup.  The public site of www.bgrconsuting.ca will still be running over non-SSL or http protocol, but the blog will be running over SSL or https protocol.

So the reason why I’m writing about this has to do with the new security feature in HTML5.   A good resource to find out more about HTML5 security and implementing it correctly can be found at the following OWASP url.

-br