observations about the FB integration
Robert C. Helling
helling at atdotde.de
Wed Sep 2 02:22:53 PDT 2015
Salvo,
> On 02 Sep 2015, at 10:25, Salvo Tomaselli <tiposchi at tiscali.it <mailto:tiposchi at tiscali.it>> wrote:
>
> I can't think of an obvious easy way to do it. The way gwenview does it
> is to open the browser window and then the user needs to copy and
> paste the URL into the application.
>
> It is a bit bad, but I would be more reassured that it is indeed facebook.
as so often, one has to find a compromise between security and user convenience.
There are two concerns I can see one might have:
1) The subsurface binary is evil and tries to steal your FB credentials. That is why you want to do the authentication in your favourite browser as that you trust more than subsurface. In that case we probably cannot do much since after authentication you explicitly at least give subsurface a token to post content on your behalf. By the copy&paste procedure you only make sure we don’t download your list of friends etc. But I would recommend that if you tend not to trust subsurface you probably don’t want to connect it to Facebook anyhow.
2) Subsurface is playing nicely but somebody else sits on your network connection and pretends to be Facebook and fishes of your password. For this concern, I can tell you that subsurface uses https authentication and refuses to work if the server does not present a valid certificate for Facebook.com <http://facebook.com/>. I just tried that (by giving www.facebook.com <http://www.facebook.com/> the IP address of my server in /etc/hosts). We could, to assure you that subsurface is convinced to really talk to the real Facebook, display an icon of a closed lock. But of course, that is only snake oil.
Am I missing something?
Best
Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.subsurface-divelog.org/pipermail/subsurface/attachments/20150902/bb779c50/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.subsurface-divelog.org/pipermail/subsurface/attachments/20150902/bb779c50/attachment.sig>
More information about the subsurface
mailing list