Hacker Neue

Preferences
psychotik parent
Nice. I hope the app has a "don't send passwords" warning in there ;) Also, how do you (do you?) handle SSL operations, specially POSTs?
FaceKicker
It doesn't have a "don't send passwords" warning. I should definitely add some kind of warning/disclaimer page that pops up when you boot the app.

I display a warning when the user tries to navigate to an HTTPS URL that messages sent to/from Smozzy aren't encrypted and it's not recommended that you proceed. I had a general idea for an encryption scheme (hardcode Smozzy's certificate's public key into the application and use it to encrypt a randomly generated string with each request and then send that encrypted string with the request and use the unencrypted string as a symmetric key to encrypt the rest of the request/response), but I was kind of too lazy to implement it for the initial release.

qjz
What User-Agent string are you using? It's a clever hack, but I can't allow my users to access sensitive information via your proxy. It sounds like you might be changing or adding hosts as you gain users, so blocking based on User-Agent will be a good start (unless, of course, you choose to use your powers for evil, in which case I'll have to resort to my own clever devices).
FaceKicker
The user-agent is somewhat configurable within the application. You can currently choose between 4 options: Nexus S, iPhone 4, Windows 7 Chrome, or None (no user agent string sent). I didn't want to change the actual strings from what is used on these devices, because I wasn't sure if sites would still recognize the string as corresponding to a mobile device (in the cases of the Nexus S and iPhone 4 options) if I altered it. Maybe this wasn't the best decision but I wasn't intentionally trying to "use my powers for evil". If anyone can think of an alternative let me know.

You are obviously welcome to block my domain/IP (not that I could stop you). I don't currently plan to expand beyond a single host. Even in the midst of all this coverage my single VPS seems to be working fine. Sorry in advance if I cause problems for you or any other admins...

keeperofdakeys
You could try this http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exch... Although, it would depend on finding a pre-existing implementation (remember it is a bad idea to implement your own crypto). Is there are trust-worthy source of random characters available?
FaceKicker
Well, Diffie-Hellman wouldn't work very well for this since any conversation between my server and the client would take a long time, unless I'm misunderstanding what you're suggesting.

The motivation behind the scheme I came up with is that it could be done with no pre-communication, hence why my RSA public key would be hardcoded into the client.

srcasm
Any chance we can get it to work with things like Texty or DeskSMS? It seems that these apps grab the MMS messages and the app never receives the page, I think.

This item has no comments currently.