Hacker Newsnew | comments | show | ask | jobs | submit login

Nice. I hope the app has a "don't send passwords" warning in there ;) Also, how do you (do you?) handle SSL operations, specially POSTs?



It doesn't have a "don't send passwords" warning. I should definitely add some kind of warning/disclaimer page that pops up when you boot the app.

I display a warning when the user tries to navigate to an HTTPS URL that messages sent to/from Smozzy aren't encrypted and it's not recommended that you proceed. I had a general idea for an encryption scheme (hardcode Smozzy's certificate's public key into the application and use it to encrypt a randomly generated string with each request and then send that encrypted string with the request and use the unencrypted string as a symmetric key to encrypt the rest of the request/response), but I was kind of too lazy to implement it for the initial release.

-----


What User-Agent string are you using? It's a clever hack, but I can't allow my users to access sensitive information via your proxy. It sounds like you might be changing or adding hosts as you gain users, so blocking based on User-Agent will be a good start (unless, of course, you choose to use your powers for evil, in which case I'll have to resort to my own clever devices).

-----


The user-agent is somewhat configurable within the application. You can currently choose between 4 options: Nexus S, iPhone 4, Windows 7 Chrome, or None (no user agent string sent). I didn't want to change the actual strings from what is used on these devices, because I wasn't sure if sites would still recognize the string as corresponding to a mobile device (in the cases of the Nexus S and iPhone 4 options) if I altered it. Maybe this wasn't the best decision but I wasn't intentionally trying to "use my powers for evil". If anyone can think of an alternative let me know.

You are obviously welcome to block my domain/IP (not that I could stop you). I don't currently plan to expand beyond a single host. Even in the midst of all this coverage my single VPS seems to be working fine. Sorry in advance if I cause problems for you or any other admins...

-----


You could try this http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exch... Although, it would depend on finding a pre-existing implementation (remember it is a bad idea to implement your own crypto). Is there are trust-worthy source of random characters available?

-----


Well, Diffie-Hellman wouldn't work very well for this since any conversation between my server and the client would take a long time, unless I'm misunderstanding what you're suggesting.

The motivation behind the scheme I came up with is that it could be done with no pre-communication, hence why my RSA public key would be hardcoded into the client.

-----


Any chance we can get it to work with things like Texty or DeskSMS? It seems that these apps grab the MMS messages and the app never receives the page, I think.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: