Aral Balkan @aral

Recent searches

Search options

Only available when logged in.

**Aral Balkan** @aral · Jan 2, 2022

Jan 2, 2022

So because this is the Interwebs, I just hacked together an admin panel and a delete signatory feature for the web0 manifesto.

https://web0.small-web.org

(Sorry, Sergi [sic], Google isn’t allowed to sign it.) ;P

Screenshot of the adminstration panel running on localhost with signatories details redacted.

Screenshot of the delete confirmation dialogue showing the fictitious Google signatory about to be deleted.

#web0

Aral Balkan @aral@mastodon.ar.al

PS. Site.js makes it very simple to hack together a secure admin page for your small web app using a cryptographically secure secret route without requiring you to build a role management system with passwords, etc. Perfect if you’re the only one to access it.

https://github.com/small-tech/site.js/blob/master/README.md#creating-an-admin-page

GitHubGitHub - small-tech/site.js: [Moved to Codeberg] Develop, test, and deploy your secure static or dynamic personal web site with zero configuration.[Moved to Codeberg] Develop, test, and deploy your secure static or dynamic personal web site with zero configuration. - GitHub - small-tech/site.js: [Moved to Codeberg] Develop, test, and deploy y...

#SiteJS #SmallWeb

Jan 02, 2022, 01:27 PM··Web

2boosts·6favorites

**Daniel 黄法官 CyReVolt** @CyReVolt@mastodon.social · Jan 2, 2022

Jan 2, 2022

Daniel 黄法官 CyReVolt @CyReVolt@mastodon.social

@aral Makes me happy to see others also follow that design. I had implemented the same for OrangeCMS: One user, no user database; the only data store in a DB is split up into two tables for posts and tags. Turns out that's sufficient. :)

**Sheogorath** @sheogorath@shivering-isles.com · Jan 2, 2022

Jan 2, 2022

Sheogorath @sheogorath@shivering-isles.com

@aral Uhm, no?

Just because you have a secret in that URL, doesn't automatically mean it's secure. The opposite is the case, due to that it's explicitly not secure.

This is a token-based authentication and it stores a long term token in a URL. Besides the risk of exposing this URL through sending it somewhere by accident, it is automatically stored in your browser history (unless adjusted).

https://cwe.mitre.org/data/definitions/598.html

cwe.mitre.orgCWE - CWE-598: Use of GET Request Method With Sensitive Query Strings (4.6) Common Weakness Enumeration (CWE) is a list of software weaknesses.

**Aral Balkan** @aral · Jan 2, 2022

Jan 2, 2022

Aral Balkan @aral

@sheogorath Yes, it’s secure unless you share it or if you access it on a non-private session on a public machine.

If that’s not acceptable for your threat model, sure. For mine, it’s perfectly adequate.

**rugk** @rugk@chaos.social · Jan 2, 2022

Jan 2, 2022

rugk @rugk@chaos.social

@aral @sheogorath Uuuuhm did not you just demonstrate the weakness of that approach. Did not you share the URL publicly here on Mastodon?

**Aral Balkan** @aral · Jan 2, 2022

Jan 2, 2022

Aral Balkan @aral

@rugk @sheogorath Yep, I did. I shared the *localhost* URL on my development machine publicly on Mastodon.

And if you can reach that, I have far greater problems ;)

**rugk** @rugk@chaos.social · Jan 2, 2022

Jan 2, 2022

rugk @rugk@chaos.social

@aral @sheogorath Well ok, of the secret is different in prod at least

**Sheogorath** @sheogorath@shivering-isles.com · Jan 2, 2022

Jan 2, 2022

Sheogorath @sheogorath@shivering-isles.com

@aral My model looks quite different but also doesn't matter here, because what I'm bothered with is that the instructions don't really mention these limitations/risks and claim this would be "cryptographically secure" while the only cryptographic thing happening is the random number generation. (Ignoring the defacto standard HTTPS connection.)

The missing explanation of risks for this method is what concerns me, as it explicitly works against known best practices.