The Secret Life of Secrets
Dylan Ayrey, Hon Kwok
BSidesSF 2024 · Day 1
This talk, "The Secret Life of Secrets," delivered by Dylan Ayrey and Hon Kwok at BSidesSF 2024, delves into the often-overlooked yet critical impact of user experience (UX) and design choices on the security of API keys, secrets, and cryptographic tokens. The presenters argue that the way secrets are designed—their "shape and texture"—fundamentally influences how users interact with them, leading either to increased security or widespread leakage and vulnerabilities. The core premise is that design dictates behavior, and even seemingly minor design decisions can have profound, far-reaching security implications across the industry.
AI review
This talk dissects how poor user experience design in API keys and authentication tokens directly leads to significant security vulnerabilities and widespread leaks. The speakers provide compelling case studies, from URL-shaped webhooks to JWTs and BYOK schemes, demonstrating how design choices, often made without security input, create systemic weaknesses. They back their claims with empirical data, showing real-world impact of these design failures.