Implementing Privacy: OAuth & Token Madness

Ever cringe when you’re asked to enter your email address and password to a third party service? Even worse when we build systems which collect people’s credentials. It’s the password anti-pattern.

Privacy and security are important, but when it comes to real running apps, “it works” wins over “it’s secure.” This has two main themes.

• How to use tokens and other tricks to protect the privacy of your users.
• While examples will be from a ruby on rails application, this talk is more on general web development practices for privacy.

There is no totally secure or private system out there, especially when we build social web applications. But there are many things which can be done to improve privacy. For each application you have to look at what the threat model is for leaking personal information. Everything from how your user passwords are stored to what happens if a hacker gets a full dump of your database.

• What happens when a user’s email is compromised by a third party service?
• How to provide simple sharing with casual privacy.
• What is ‘good enough’ crypto.
• Understanding the difference between Authorization and Authentication.

This talk is based on experience designing and architecting Yahoo! Fire Eagle, a location sharing service which was the first implementation of both OAuth and Ruby on Rails at yahoo.