Implementing Privacy: OAuth & Token Madness

Location: 1A14 Level:
Average rating: **...
(2.86, 7 ratings)

Ever cringe when you’re asked to enter your email address and password to a third party service? Even worse when we build systems which collect people’s credentials. It’s the password anti-pattern.

Privacy and security are important, but when it comes to real running apps, “it works” wins over “it’s secure.”
This has two main themes.

  • How to use tokens and other tricks to protect the privacy of your users.
  • While examples will be from a ruby on rails application, this talk is more on general web development practices for privacy.

There is no totally secure or private system out there, especially when we build social web applications. But there are many things which can be done to improve privacy. For each application you have to look at what the threat model is for leaking personal information. Everything from how your user passwords are stored to what happens if a hacker gets a full dump of your database.

  • What happens when a user’s email is compromised by a third party service?
  • How to provide simple sharing with casual privacy.
  • What is ‘good enough’ crypto.
  • Understanding the difference between Authorization and Authentication.

This talk is based on experience designing and architecting Yahoo! Fire Eagle, a location sharing service which was the first implementation of both OAuth and Ruby on Rails at yahoo.

Photo of Rabble Evan Henshaw-Plath

Rabble Evan Henshaw-Plath

Rabble is an independent hacker. He has extensive experience doing ruby on rails development and generally causing a ruckus. He was the architect for and Yahoo! Fire Eagle location broker platform. He’s currently causing trouble with the kids.

Photo of Blaine Cook

Blaine Cook


Blaine is a Canadian transplant to Northern Ireland via San Francisco, where he made Twitter do things no website had done before. In addition to being a primary author on the OAuth specification and active in the Jabber community, he is a frequent contributor to various open source projects. He now works at Osmosoft, focused on making the web a little more responsive and a little more human.

  • IBM
  • Microsoft
  • Awareness
  • Blue Kiwi Software
  • Ericsson Labs
  • Jive Software
  • Layered Technologies, Inc.
  • Neustar, Inc.
  • OpenText
  • Opera Software
  • Overtone
  • Qtask
  • Rackspace Hosting
  • Sony Ericsson

Sponsor & Exhibitor Opportunities

Rob Koziura
(415) 947-6111

Download the Web 2.0 Expo New York Sponsor/Exhibitor Prospectus

Media Partner Opportunities

Kaitlin Pike
(415) 947-6306

Contact Us

View a complete list of Web 2.0 Expo contacts.