

Kik Messenger Insecure - mike-cardwell
https://secure.grepular.com/Kik_Messenger_Insecure

======
zbanks
I love how Chrome tells me that this link is insecure (something wrong with
SSL). Oh coincidences...

Besides that, I don't quite understand what separates this from any other IM
platform..?

~~~
pluies
Well... secure.grepular.com uses an unsigned certificate, that makes most
browser squeak.

It is important to understand that albeit it's not proper https, this is still
an encrypted connection that will make eavesdropping impossible. Being signed
by an actual authority is only necessary to ensure the website we're talking
to is actually secure.grepular.com, and not a man-in-the-middle that would
intercept our queries and forge answers. "Unfortunately", both ideas of
security and authentication are part of https, and having one without the
other is going to pop big scary messages.

This sort of https is _still_ more secure than plain http.

His point about transmitting the password in plain sight is a very good one.
Firesheep showed how bad it is to transmit your cookies in plaintext, but
sending your login/pass is even worse.

~~~
MichaelGG
Making browsers squeak is a fundamental part of the SSL security model.

Invalidly signed HTTPS is only slightly more secure than HTTP. Let's look at
the open WiFi scenario. If you login to ServiceX over HTTPS but ignore
certificate warnings, I can just mount a man-in-the-middle attack and relay
all your traffic to ServiceX. It's more involved than just sniffing your
cookies, but its still quite practical.

The only place where ignoring certificates is OK is if you know that an
attacker can _read_ your network, but cannot write anything to it.

~~~
cheald
Explain this to me, because one of us is misunderstanding https. As I
understand it, the danger of a self-signed certificate is that you don't know
if it was issued by the site owner. You don't get the certificate authority's
trust by proxy, but if the certificate is genuine, it's as secure as any level
3 ssl certificate. The only thing a CA certificate is guaranteed to get you is
the ca's rubber stamp that they issued it.

~~~
MichaelGG
You said it yourself: "the danger of a self-signed certificate is that you
don't know if it was issued by the site owner".

In the case of someone attacking you on WiFi, that self-signed certificate
_wasn't_ issued by the site owner. It was issued by the attacker. If you
happily ignore warnings, your browser will just setup a "secure" connection to
the attacker. Then the attacker just creates another HTTPS connection to your
actual destination, and proxies the content back and forth.

Now, if the attacker can only read packets, then yes, the actual encryption is
still secure. But in many places where an attacker can sniff (WiFi, on your
Ethernet), they can also inject.

There are lots of problems with CAs and the crappy verification that goes into
most certificates. But having a CA cert for SSL still significantly raises the
bar and limits the extent of an attack. (If one did get a signed cert for
PayPal or Facebook, they couldn't just go and publish it in a program like
Firesheep, as it'd get revoked pretty quickly.)

------
sp4rki
I find Kik could easily be the Blackberry killer app we've all been hoping
for. The only real reason most Blackberry users don't switch to iOS or Android
is Blackberry messenger. I hope they can get their security up to par.

~~~
jrockway
What's Blackberry messenger? It isn't enabled on my Blackberry. (Nor is the
camera, or text messages, or pairing with non-approved Bluetooth headsets, or
the "app world", or ...)

The reason Blackberry users don't switch to iOS or Android is that their
employer mandates Blackberry. I would much rather use my Android phone for
work, but RIM's marketing worked, and I can't. (Think about how insecure our
company's intellectual property would become if I could join a conference call
with a headset that didn't have 128-bit encryption!)

~~~
sp4rki
Do you work for the government? I have to use a Blackberry because of
business, but it's a pretty decent smartphone. I'd prefer it to an Android
phone, though if I could I'd just get an iPhone. C'est la vie.

~~~
jrockway
No, but Fortune 500, so almost the same thing.

The stuff that's locked down is not what bothers me about a Blackberry. It's
the core functionality; the hardware keyboard is harder to use than a software
keyboard (because there is no autocorrect), and "push email" is much slower
than IMAP on my Android phone.

The worst feature is the keylock -- it doesn't work. Unlocking involves
pressing a key, which is why the keylock exists anyway. The thing makes a ton
of calls in my pocket, often to 911.

~~~
sp4rki
My experience is once again completely different. I kind of prefer the extra
speed the hardware keyboard provides and my Blackberry does have auto-correct.
Emails are pushed to my phone before both the browser or my email client
notify me. I just sent an email to myself and I received the push notification
almost instantly (around 5 seconds faster than both the browser and the
client). On my phone, un-locking means either pressing a series of keys at the
same time or pressing a hardware button on the top of the phone. I have never
ever have had my phone miss dial or even been unlocked by mistake. It is easy
to un-lock it when I really do want to though.

May I ask what model you are using? I'm currently using a 9700 and other than
the fact that I miss a few apps I had on my iPhone, I actually do find this
phone pretty good where smartphones are concerned.

~~~
jrockway
The phone doesn't have the model number on it anywhere. It's a Bold from
Verizon purchased a few months ago.

I blame Exchange for the slow push mail. It always takes forever to notify the
desktop client of a new message. (But the Blackberry is still slower. I have
often read and responded to a message before my Blackberry alerts me of "new
mail".)

------
some1else
Encryption didn't make it into the MVP? :-)

------
grovulent
Can someone explain to what's so awesome about this app? When that other link
hit the front page - I couldn't even tell what the hell the app was for. I
guessed from the image that it was some kind of messaging app - but couldn't
for the life of me find any information on that site that could tell me why I
care.

And yet - a million people seem to have done better than I. Dubious...

~~~
liuhenry
Well, the "asynchronous" and sent-delivered-read notifications are cool, but
what I'm really excited about is this:

"Here’s where things get interesting. If it can build its community, Kik has a
lot of new territory to cover if it wants to. It can layer on functionality as
it sees fit. For example, it can let you take pictures, and show friends what
you’re seeing. It can then let you stream the music you’re listening to,
directly from your phone over your friend’s phone. The same can be done for
video. And it can be done over any device. While none of this is available
right now with the app, Livingston demonstrated this advanced streaming
technology to me, so it’s clear he can turn it on at pretty much any time.

During the demo of all this, we sat hundreds of miles away from each other,
but he was able to remotely take over the Chrome browser (with my permission,
of course) on my MacBook. He then played music over it — all while remotely
operating this from his phone. All I did was enter a code that he gave me so
that my browser knew to pair with the phone and allow the stream. (A QR code
can be used, too.)

It’s pretty cool. _Basically, Kik’s technology lets you wirelessly “sling” any
content on your phone to any device running on any software. This hasn’t been
done before, as far as I know. Sure, AppleTV lets you stream iTunes content to
the TV, but it’s a closed garden. You can’t run Apple content on other
devices. Kik’s technology allows you to stream pretty much any content on any
device with a browser, whether it’s a basic PC, or even a PS3, Wii or a
Windows Media Center device._

It’s heady to think of the future of this application. I can scan my
surroundings with the camera on my Droid, Blackberry or iPhone with merely a
cellular connection, and then stream it to my friend’s phone. Or I can go to
my friend’s home and stream an HD move from my phone onto his TV."

from : [http://venturebeat.com/2010/11/03/kik-messenger-sees-
explosi...](http://venturebeat.com/2010/11/03/kik-messenger-sees-explosive-
start-a-mobile-chat-better-than-sms/)

It's also promised on their blog: [http://www.kik.com/blog/2010/11/zero-to-a-
million-in-15-days...](http://www.kik.com/blog/2010/11/zero-to-a-million-
in-15-days/)

~~~
kenjackson
_Basically, Kik’s technology lets you wirelessly “sling” any content on your
phone to any device running on any software._

That should have been on the home page. This "free real-time texting" thing
makes no sense to me. Doesn't virtually everyone with a modern smartphone have
free real-time texting?

But being able to stream live TV from my Media Center box to my phone would be
cool.

~~~
btucker
> Doesn't virtually everyone with a modern smartphone have free real-time
> texting?

At least in the US, the cell companies charge a pretty penny for text
messages.

------
rane
"You should follow me on twitter" on super bold red. Always lame sounding.

~~~
mike-cardwell
Yeah, my whole website design is shit. I've learnt a lot about web design
recently though, especially from articles posted here on HN, and am currently
redesigning it. Here's my current front page under development:
<http://dev.grepular.com/>

------
mike-cardwell
I've explained the SSL situation here:
<http://news.ycombinator.com/item?id=1880051>

