tags:

views:

138

answers:

1
+3  Q: 

How safe am I signing into Google Spreadsheets with yeroon.net/ggplot2

I am impressed by what I have seen of yeroon.net/ggplot2 which is a web interface for Hadley Wickham's R package ggplot2. I want to try it out on my own data. The part that has me very excited is that one can use data stored in one's own Google spreadsheet as the data. One just signs into their Google Account so that yeroon.net/ggplot2 can access the spreadsheet list. I have been hesitant to do it. If I sign in whilst on yeroon.net am I handing over my username and password to a third party? It would not be wise of me to divulge my google password to third parties since Google is fast becoming my repository of everything.

How do I know if Jeroon's application is using ClientLogin or OAuth? My understanding is very basic and may be wrong but nevertheless here it is. OAuth would be better since it does not actually pass the password onto the third party application.

+5  A: 

Hi Farrel,

I am the creator of the yeroon.net/ggplot2, someone pointed me to this topic. I'll try to explain how the system currently works.

The application is using AuthSub authentication. The moment you sign into your Google account, a Google session is created. This session only has access to the Google documents and Google spreadsheet services that you gave permission for on the Google login page, so not to e.g. your mailbox.

Once you logged in, you retrieve a session token from Google: a unique key that belongs to the session and can be used to make requests to access your Google data. The session token is stored as a cookie on your browser until you close it. Every time you make a request to yeroon.net servers, this token is added to the request.

Using this token, the yeroon.net servers can access your google data, e.g. to retreive a spreadsheet. The token is not stored on the server, although I understand that you have to take my word on this. Also it is not possible to find out your username or password from the session token; it can only be used to retreive data, as long as the session lives.

hth,

Jeroen

Jeroen  2010-04-16 17:44:21
Thank you. Can you comment whether it is using ClientLogin verus OAuth? My original question has those two words hyperlinked to the Google pages about them.
Farrel  2010-04-16 19:12:18
The application is using AuthSub. ClientLogin is there mainly for non-web client software. Details are listed here: http://code.google.com/apis/gdata/docs/auth/overview.html
Jeroen  2010-04-17 11:01:56

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication