Obfuscation of url LINKS - Pitch in ?

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Obfuscation of url LINKS - Pitch in ?

Post by ACDC »

When I send a url link to a user to view/edit a record in AwareIM, I want to obfuscate the link so the user cannot make out the content of the url string.

There are some reasons for this, one being so an inquisitive client (user) cannot second guess other records and snoop around the system object.
(This is quite possible, all one has to do is change the ID in the url etc etc)

Also its a good way to hide the password (although it can be decoded with some effort but at least its better than an exposed password)

I understand this is possible by using BASE64 method. I have had a dialogue with support and this is possible but will cost for he implementation

I am looking for some volunteers to pitch in for this feature- I am sure this has universal appeal - Any takers ?
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Obf. links

Post by hpl123 »

Sounds interesting and like good feature. What is the cost/estimate for this work?
Henrik (V8 Developer Ed. - Windows)
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Post by ACDC »

the estimate was for around $250.00, this could change though
RLJB
Posts: 914
Joined: Tue Jan 05, 2010 10:16 am
Location: Sydney, Australia

Post by RLJB »

Can you provide some more details around how this would work - so I can understand what you're proposing? (which I think would be useful for us)

For example are you talking about, where you send someone a link to log into an aware app (usually as a guest) and do a firstcommand, currently you would use something like this:

http://myIP:8080/AwareIM/logonOp.aw?dom ... tr2=Value2...

Are you proposing this feature would make it look like this:

http://myIP:8080/AwareIM/logonOp.aw?dom ... udh90sdjsi

Or something similar?
Rod. Aware 8.6 (latest build), Developer Edition, on OS Linux (Ubuntu) using GUI hosted on AWS EC2, MYSQL on AWS RDS
Rennur
Posts: 1191
Joined: Thu Mar 01, 2012 5:13 am
Location: Sydney, Australia

Post by Rennur »

Similar to the Facebook login, Twitter login, Gmail integration...

https://bitly.com/ URL shortening also offers API and can be integrated with AIM for offer this service.

There are others as well like http://goo.gl.

Wonder if this is something that might be useful.

Cheers
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Post by ACDC »

RLJB

yes in your Object there would be a Base64 translation equivalent to the url link. You can get more info here http://www.base64encode.org/

hpl123
The bitly.com wont work as the URL link is changing all the time. Each email sent has a unique ID in the Url link
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Contribution

Post by hpl123 »

ACDC,
I can contribute some to get this feature. Others interested?
Henrik (V8 Developer Ed. - Windows)
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Post by intra »

Yes.. like the idea.. put me down.
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Post by ACDC »

anybody else interested ? currently there are 3 of us willing to pitch in

The cost to each of us at the moment is $83.33 , subject to confirmation from support

So please don't be shy, the more the merrier
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Post by intra »

Straight BASE64 is pretty easy to decrypt, there are many websites around that do this. No point doing something half baked to thwart a "curious" user.

Might be good to do a simple XOR shift by a definable number and then use base 64 encoding.

If you're really paranoid.. maybe use a proper encryption standard and then base 64.

Thoughts?
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Post by intra »

Maybe an Encrypt/Decrypt function and a Base64Encrypt/Base64Decrypt function.

Which would result in something like this

Base64Encode(Encrypt('SHA-128','Bo.Phrase')) which you then could call somehow?
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Post by ACDC »

yes it is half baked, maybe you are on to something here, if you have a more secure way of doing this then please elaborate....

All I do know is there is a definite need to encrypt url links embedded in outgoing emails and sms messaging, especially with passwords and keeping client information private
pbrad
Posts: 781
Joined: Mon Jul 17, 2006 11:03 pm
Location: Ontario, Canada

Post by pbrad »

Hi,
I tripped over this site the other day. Would it present a possible solution to what you are trying to achieve? It might also be a way to simplify the main url in order to strip out the port and `AwareIM` folder name in the path?

I don't have much time right now but I suspect that this should work to rewrite the url prior to showing it:

http://www.tuckey.org/urlrewrite/

Cheers,
Pete
Pete Bradstreet
Contract developer of commercialized applications

AwareIM Ver. 8.2
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Post by hpl123 »

intra wrote:Straight BASE64 is pretty easy to decrypt, there are many websites around that do this. No point doing something half baked to thwart a "curious" user.

Might be good to do a simple XOR shift by a definable number and then use base 64 encoding.

If you're really paranoid.. maybe use a proper encryption standard and then base 64.

Thoughts?
I agree, if its possible to create a more solid solution/protection this is the way to go.
Henrik (V8 Developer Ed. - Windows)
nlarson
Posts: 597
Joined: Thu Apr 14, 2011 7:56 pm

Post by nlarson »

Did this feature ever make it in? I just stumbled upon the thread and would be happy to chip in. Although security being a ever growing concern I really think Aware needs a more official support for https certificates & persistent session cookies.

1. the string is protected from 3rd party snooping @ 128bit
2. the app login is protect by either recycling a session token or forcing the user to login if no cookie exists.
3. the data would be protected from second party 'curious' user by what ever privacy rules you have put on the business object.

If that happened you have solid security, not just camouflage. That is something I would put some real money towards.
Post Reply