Last week I went to Paris, France to speak at a Yahoo Developer Network event and Paris Web. Paris Web is a web development, design and accessibility conference that runs for the fourth year (I think) and I’ve been speaking there for the third time.

My presentation – basic housekeeping

Originally I planned to speak about my favourite topic – the web of data and how to use it – but the organisers had other plans for me. Normally I hate changing my topic and being asked to do specials but I have a fond spot for Paris Web so I talked about web security instead. The slides of my “basic housekeeping” talk are available on SlideShare:

In the talk I covered some very basic measures you can take to protect your web site from becoming a spam hub, part of a botnet or simply get spammed. I pointed out the following mistakes people make:

• Underestimating the severity of web application security holes – it is not about your server but also about users who use the same passwords all over the place.
• Keeping folders listable and thereby allowing people to find vulnerable scripts and dig into data they shouldn’t be able to see (the example I showed was eat.co.uk failing to protect their /cgi folder and thus allowing full access to an admin section and listing their DBs)
• Allowing search engines to index admin sections of web applications (I proposed using robots.txt but as one attendee pointed out in the Q&A protecting with .htaccess makes a lot more sense)
• Keeping error messaging on and thus allowing people to gain insight into your server setup
• Having an insecure PHP setup with globals enabled which would allow for overriding security checks and remote code injection (using phpsecinfo can help you find these issues)
• Blindly relying on software and not testing installs. Also, not overriding preset users and passwords (as an example try the user and password “builtin” on any Ektron-powered web site)
• Not keeping installs and plugins up-to-date
• Relying on HTML as a source of data for JavaScript/Ajax (I can easily manipulate this in Firebug)
• Relying on JavaScript – you can’t and if you use it as the only means of validation turning off JavaScript allows attackers to inject any kind of data.
• Leaving information inside the HTML by commenting out in HTML - always comment on the server side.
• Not filtering inputs.
• Trying to filter instead of whitelisting
• Allowing for inclusion into iframes and thus allowing for clickjacking.
• Failing to provide easy to use and stress-free interfaces and thus allowing for social engineering (“This is too hard for you, give me your password and I will fill this out for you”).
• Staying authenticated and logged in over a longer period and thus allowing attackers to make you click on web sites that contain CSRF traps (the example was demo code that could get protected Twitter updates).
• Giving users the impression that you are the one responsible for security instead of it being the job of both the user and the site provider.
• Relying on Captchas as a sole measure against bot attacks (check PWNtcha for a captcha cracking tool).
• Not keeping their software up-to-date
• Not periodically checking their logs for hacking attempts.

I then quickly went over some of the ideas we now have in place to make the web easier to use and at the same time safer: Guest Passes, One-off logins, oAuth, OpenID and Caja.

I explained the security threats and trends in phishing social networks, the mobile web, camera access, geo location access and biometric recognition.

I had good feedback and I love speaking in France. You can make jokes and people are happy to laugh out loud when you bring up things that are just not expected.

The rest of the conference

This is a general thing at Paris Web. The speakers do not only really know what they are talking about but are also happy to be unconventional when it comes to presenting. Whilst the slides of ParisWeb do only hint at that you can find some very cool photos of what is going on there.

Also check out the video:

The location is very luxurious (IBM’s HQ in France) and has all the latest systems you need for presenting – microphones, a great projection system, on-stage monitors, live translation and so on. The catering was very impressive and the food was – well, it is France, we don’t need to say more.

Double budget approach

The other great thing that Paris Web does that other conferences should copy is that on the day after the conference there are workshops with the speakers who are happy to give them for a very low price (last year it was 10 Euro, not sure what it was this year). This allows students that cannot afford the main conference to come only on Saturday and still take advantage of the experts coming to Paris.

All in all I am always very proud to be part of the conference and to see the enthusiasm and great things that happen in France when it comes to advocating web standards, future technologies and ways to work professionally as web designers. The strong streak of accessibility and usability that compliments the high-tech talks makes it a useful conference for anybody who creates any work on the web.

Alas, there is one issue.

The language barrier

As the conference is held predominantly in French, a lot of the great insights, information and practices is lost for non-francophones. This is a shame as I am very impressed with the pragmatic approach of the talks. There is not much “blue sky” thinking but very down-to-earth information on how to build better products, how to talk to your boss in the right way, how to make web development an important part of your company’s portfolio and a lot of talks about quality of our work and pragmatic accessibility. All the talks are filmed and recorded and it would be a great step for Paris Web to translate the transcripts – maybe that is something that can be done with crowdsourcing?

Last week I was in Paris for a Yahoo Developer Network evening and Paris Web and one of the talks I gave was an introduction to Yahoo Open Applications. These are applications that you can embed in the Yahoo homepage or My Yahoo and thus allow you to reach millions of users – or extend the Yahoo homepage with your own personal app. Here are the slides and the audio recording of the talk delivered by Sophie Davies-Patrick (aka “my boss”) and me at La Cantine in Paris:

• Audio of Introduction to Yahoo Open Applications – 33MB MP3 (other audio options on archive.org)

Yahoo Open Applications use the Yahoo Application Platform – YAP. In essence, you write a small app using CSS, JavaScript and HTML and it will get embedded into the Yahoo Homepage.

TweetTrans – translate Twitter updates

The example I showed was a tool that adds little translation links to a Twitter stream:

The code of TweetTrans is available on GitHub and I’ve built it initially as a bog-standard Ajax web application.

The main step afterwards was to convert the app over. This is less hard than it seems upfront but the fact that YAP uses Caja to make the whole application more secure means you need to restrict yourself. Things you cannot use are:

Caja and HTML

• Custom attributes
• Custom tags
• Unclosed tags
• EMBED
• IFRAME
• javascript:void(0)
• Radio buttons in IE
• Relative URLs

Caja and CSS

• star hacks
• _ hacks
• IE conditionals
• Insert-after clear fix
• expression()
• @import
• Background images in IE

Caja and JavaScript

• eval()
• new Function()
• Strings as event handlers (node.onclick = ‘...’;)
• Names ending with double / triple underscores
• with function (with (obj) { ... })
• Implicit global variables (specify var variable)
• Calling a method as a function
• document.write
• window.event
• OpenSocial gadgets.io.makeRequest return JS

Get the SDK

The easiest way to build Yahoo Open Apps is to use YML which is a markup language that gives you access to the Yahoo social connections and creates Ajax functionality for you without having to write any JavaScript.

If you want to use the full Yahoo social stack the best place to start is to download the SDK which makes the oAuth authentication very easy for you.

Distribution

Once you have your app done you can easily make people install it by sending them a link. This link contains the application ID. In the case of TweetTrans this is:

http://yahoo.com/add?yapid=zKMBH94k

More info

To get more information, check out the YOS section on the Yahoo Developer Network and the forums on YAP.

Things that made me happy this morning.

• Changing a staircase into a massive piano makes 60% more people use it instead of the escalators – fun is the best way to make people use things.
• You can do vocoding with a Piano
• YQL meets SPARQL
• Kayak releases trends data – sadly enough not as a data API but as graphs
• Twig is a PHP5 templating engine with security baked in.
• Rails 3.0 now has XSS protection built in – congrats, guys.
• Michael Moore’s new web site is based on Django and here’s some info how they made it scale.
• This site is under construction is probably the best “under construction” animation collection ever.
• Google Moderator is a great app to collect questions for a final panel of a conference.
• Lego Mindstorm robots solving Rubik’s cubes – SkyNet has nothing on them
• Old point and click adventures in Canvas – play Leisure Suit Larry as a multiplayer game.
• The YQLEX builder is a nice mashup of the YUI grids builder and YQL

Things that made me happy this morning:

• I’ve built my first Yahoo App to add to your Y! homepage TweetTrans is a Twitter search with translation options
• In case you ever wanted to install linux on a dead badger – there is a tutorial for that. You could also case mod a beaver.
• If you ever need to define irony, simply point to the MOD manual on preventation of information leaking on the internet at Wikileaks (also on the Telegraph)
• PhotoSketch is an amazing tool to sketch a scene and stitch it together from pictures on the internets (also check the gallery)
• The best logo design tutorial in the world ever – word (art)
• Remy Sharp has a nice interactive jQuery documentation
• Yahoo Meme now comes with an API powered exclusively by YQL!
• Good trick on how to compress Keynote presentations – you go through PDF export and Preview
• The podcast and transcript of my Accessibility 2.0 keynote are now available
• Quite some disturbing info on Dark Stalking on Facebook – made me happy as this is something that can be fixed
• Interesting information about Logos in Lego Town – those minifig design agencies are not very consistent