Hacker News new | past | comments | ask | show | jobs | submit | keturn's comments login

The thing that bugs me about this model is that it's not challenge-response, so someone can play man-in-the-middle.

While it's possible to hijack someone's phone number, as demonstrated, it requires a relatively high amount of effort per target. Whereas if you compromise a network segment somewhere (with DNS and a rogue SSL cert or whatever you need), you could just sit there, farming authentication cookies. Have your MitM check the "authenticate this computer for 30 days" checkbox and you've got a nice little collection to work with.


Are you familiar with methods that are resilient in the face of MitM attacks?


I was talking to someone recently who likened it to a shifting pendulum. For a while, he told me, terminal control languages were sufficiently complex that you could send a program to run _on the terminal_, and then things shifted back to running things where you store them on the server.

Now there's HTML5 and javascript, the world's most complicated terminal control language.


Any news since 2010?


No, but the author is CEO of Singular Computing, LLC: http://singularcomputing.com/

(not that there's anything there)


Unless your product is something that builds on Twitter's platform, I wouldn't recommend it. It means your users don't have a choice about how they're authenticated to your site, and

A) Failwhale, anyone?

B) Twitter doesn't provide serious options for protecting their users' login credentials. It's the same username/password combo which is easily phished & replayable.

Sadly, I've pretty much given up on the hope that we'll have a healthy ecosystem of OpenID providers, but at least Google's login system does offer some two-factor options.


From a dev's point of view I really feel that OpenID/OAuth is absolutely not worth the headache.

I'd rather just go the hacker news model. Choose a strong password and if you forget it, we send a new one to your email address.

Works fine, offloads a lot of security issues to email providers (who tend to be good at it), easy to code.


I'd rather just go the hacker news model.

I use Hacker News with OpenID ;)


I like the same model. (send password change token to email). BrowserID from Mozilla may help here too.


Nice! I just shared a screen from a Linux laptop to a phone with the Dolphin browser and it Just Worked. Pretty high latency though.


I had some linting tool yell at me about this recently. It said something like '''forms["formname"] better written as forms.formname'''


This was a good post, but I confess to being a little disappointed that it was not in musical form.


Bah. I've been happily using Google services with a non-Google email for years now, but when I created a gmail account for that ID, all my notifications from all google products (e.g. google calendar notifications, notifications from other Google products like Google Code) suddenly started going to the gmail mailbox instead of the address they'd been going to all along.

Fortunately I was able to delete the gmail account to reverse this, but it was relatively difficult to find the "turn off gmail" button. And if all new accounts get gmail, they may stop letting you turn off gmail at all.


Create a local 'apt' repository for Ubuntu Java packages: https://github.com/flexiondotorg/oab-java6

Just tried it earlier today on 11.10. Worked fine.


Yeah, and this is the one thing I didn't see addressed in the article at all. It doesn't have to be about "interesting problems," it's that your entire business model is based on something that no tech-savvy 20-something wants to support.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: