The software I’m working on needs a new authorisation system. The system needs to be prepared for 3 scenarios: to restrict access to a page, to hide part of a page and to block access to data. Let’s solve these problems using claims.
Troy Hunt tweeted how a site uses a fake password field so that browsers wouldn’t show the insecure warning. If you want to know the details of this incident, I gladly refer to Troys blog post. In this blog, I want to talk about the deliberate malpractice that goes into this behaviour.
For a few weeks now, I’ve updated the look and feel of this blog. Let me give you a quick explanation why I did this.
With my experience in IT, it’s more surprising that such a massive attack took so long to happen.
For the project I’m working on, I have to grant users access to pages. Pretty standard, ThinkTecture solved this problem long ago. Since this is a government project, they don’t understand the benefit of using a lot of outside packages. So, based off of a blog post from Dominick Baier on using claims based authorization in MVC, I build the following method:
Recently I was at a party and the topic turned to “the terrorists use encryption to hide their communications, we should get rid of all encryption so the police can monitor everything.”
And to my shame, I had only technical answers such as “but you need encryption because of security, otherwise everybody can see what you’re doing.”