ATutor

Learning Management Tools


  1. Home



Pages:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15


Security of gadgets



  • 2010-12-27 23:03:27

    Security of gadgets

    If you are asking for help, provide lots of detail so problems can be reproduced.
    Hi
    I've added a facebook gadget (by Ginga) into my Atutor, www.dershanen.com using Atutor search.
    But I am anxious about the security of my facebook and ofcurse Atutor. How can I make myself sure and relaxed about the security

    Things to describe:
    Operating system ATutor is installed on - Linux 2.6.32-25.8.BHsmp
    ATutor version - 2.0.2
    Patch #s applied -
    ATutor theme name - Deafult 2.0.2
    PHP version - 5.2.14
    MySQL version - 5.1.47-community-log
    Webserver & version -
    Copies of error messages -
    Changes to default settings -
    Web browser being used -
    ...and anything else relevant -


  • 2011-01-05 13:50:56

    Re: Security of gadgets

    From harris "Regarding to the OpenSocial gadgets, if the gadget itself is not secured, then there isn't much we can do about it. We can tell the developer about it and warn users to use on their own risks. Shindig renders Javascript (which is the gadget XML file) and i don't think it can stop XSS, because it allows you to write any javascript. "


  • 2011-01-06 15:38:19

    Re: Security of gadgets

    In addition, ATutor itself serves as the container by using Shindig (an open source project developed by Apache http://shindig.apache.org/).

    This allows any ATutor installation to import gadgets provided by gadgets providers. When you add a gadget, ATutor will store a couple of gadget details such as its URL, author, title, height, etc. At times, ATutor stores some gadget settings which is requested by the gadget itself. To clarify on privacy concerns, we do not keep privacy data ourselves unless the gadget tells us to do so.

    For instance, ATutor will host the facebook gadget as a container. When you log into facebook via the gadget, ATutor knows nothing about your login name and password, the gadget SHOULD open up facebook remote login page to forward you in, then the gadget should use the facebook SPI (service provider interface) to gather your details and sends it to the Shindig server within ATutor. Shindig will receive these data and display it onto ATutor. If the facebook gadget is not secured, then we cannot do anything about it because we don't have control over it. It's the same idea of installing application onto your computer, or installing addons onto your browsers. You should only install it when you trust the provider.

    I hope this clears your concern a bit.


    regards,
    Harris