Obfuscation of url LINKS - Pitch in ?

ACDC

When I send a url link to a user to view/edit a record in AwareIM, I want to obfuscate the link so the user cannot make out the content of the url string.

There are some reasons for this, one being so an inquisitive client (user) cannot second guess other records and snoop around the system object.
(This is quite possible, all one has to do is change the ID in the url etc etc)

Also its a good way to hide the password (although it can be decoded with some effort but at least its better than an exposed password)

I understand this is possible by using BASE64 method. I have had a dialogue with support and this is possible but will cost for he implementation

I am looking for some volunteers to pitch in for this feature- I am sure this has universal appeal - Any takers ?

hpl123

Sounds interesting and like good feature. What is the cost/estimate for this work?

ACDC

the estimate was for around $250.00, this could change though

RLJB

Can you provide some more details around how this would work - so I can understand what you're proposing? (which I think would be useful for us)

For example are you talking about, where you send someone a link to log into an aware app (usually as a guest) and do a firstcommand, currently you would use something like this:

http://myIP:8080/AwareIM/logonOp.aw?domain=BS&firstCommand=startProcessWithInit,MyProcess,main,MyObject&Attr1=Value1&Attr2=Value2...

Are you proposing this feature would make it look like this:

http://myIP:8080/AwareIM/logonOp.aw?domain=BS&key=hsjgbeiuuyh389ehd7832uhfd78233udh90sdjsi

Or something similar?

Rennur

Similar to the Facebook login, Twitter login, Gmail integration...

https://bitly.com/ URL shortening also offers API and can be integrated with AIM for offer this service.

There are others as well like http://goo.gl.

Wonder if this is something that might be useful.

Cheers

ACDC

RLJB

yes in your Object there would be a Base64 translation equivalent to the url link. You can get more info here http://www.base64encode.org/

hpl123
The bitly.com wont work as the URL link is changing all the time. Each email sent has a unique ID in the Url link

hpl123

ACDC,
I can contribute some to get this feature. Others interested?

intra

Yes.. like the idea.. put me down.

ACDC

anybody else interested ? currently there are 3 of us willing to pitch in

The cost to each of us at the moment is $83.33 , subject to confirmation from support

So please don't be shy, the more the merrier

intra

Straight BASE64 is pretty easy to decrypt, there are many websites around that do this. No point doing something half baked to thwart a "curious" user.

Might be good to do a simple XOR shift by a definable number and then use base 64 encoding.

If you're really paranoid.. maybe use a proper encryption standard and then base 64.

Thoughts?

intra

Maybe an Encrypt/Decrypt function and a Base64Encrypt/Base64Decrypt function.

Which would result in something like this

Base64Encode(Encrypt('SHA-128','Bo.Phrase')) which you then could call somehow?

ACDC

yes it is half baked, maybe you are on to something here, if you have a more secure way of doing this then please elaborate....

All I do know is there is a definite need to encrypt url links embedded in outgoing emails and sms messaging, especially with passwords and keeping client information private

pbrad

Hi,
I tripped over this site the other day. Would it present a possible solution to what you are trying to achieve? It might also be a way to simplify the main url in order to strip out the port and AwareIM folder name in the path?

I don't have much time right now but I suspect that this should work to rewrite the url prior to showing it:

http://www.tuckey.org/urlrewrite/

Cheers,
Pete

hpl123

intra wrote
Straight BASE64 is pretty easy to decrypt, there are many websites around that do this. No point doing something half baked to thwart a "curious" user.

Might be good to do a simple XOR shift by a definable number and then use base 64 encoding.

If you're really paranoid.. maybe use a proper encryption standard and then base 64.

Thoughts?

I agree, if its possible to create a more solid solution/protection this is the way to go.

nlarson

Did this feature ever make it in? I just stumbled upon the thread and would be happy to chip in. Although security being a ever growing concern I really think Aware needs a more official support for https certificates & persistent session cookies.

the string is protected from 3rd party snooping @ 128bit
the app login is protect by either recycling a session token or forcing the user to login if no cookie exists.
the data would be protected from second party 'curious' user by what ever privacy rules you have put on the business object.

If that happened you have solid security, not just camouflage. That is something I would put some real money towards.

hpl123

nlarson wrote
Did this feature ever make it in? I just stumbled upon the thread and would be happy to chip in. Although security being a ever growing concern I really think Aware needs a more official support for https certificates & persistent session cookies.

the string is protected from 3rd party snooping @ 128bit

the app login is protect by either recycling a session token or forcing the user to login if no cookie exists.

the data would be protected from second party 'curious' user by what ever privacy rules you have put on the business object.

If that happened you have solid security, not just camouflage. That is something I would put some real money towards.

1+ for this

customaware

I'll be in that.

ACDC

This concept eventually went dead because of the concern that Base64 was not a good solution .

There seems to be enough parties interested to chip in, so lets try and pursue this

Is there anyone out there that can drive a solution ?

Nlarson,
You seem to have an idea on a way forward, maybe you could pick up on this and present it to support for consideration

nlarson

Not a whole lot to document from a concept stand point,

Should make SSL support more seemless. The steps to do it manually are documented in this post, but it's a lot of work which will get crushed by every upgrade.
https://www.awareim.com/forum/d/3554>
Aware needs to generate and accept persistent cookies. If the cookie is valid, the user is logged in, if not they are shown the login screen. If applicable, after the login the user is then forwarded to the specified URL. There is a ton of info on the web, but here is a good write up.
http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
After the login the user is then forwarded to the
Aware devs would then be responsible for setting up appropriate access option to keep users from seeing things they should not be allowed to see. (requires no programming changes)

If that gets done it would:

allow all traffic to be encrypted, so any transmission of data is secure (like id + password). Typically all Aware data is transmitted in plain text.
allow notifications to be sent with URLs which are not based on a guess login and/or do not include an id/password string but still logs in the user and takes them to the specified record.
allows data security to be put in place based on a specific user.

tford

I would use this feature if it were available. We push emails with relevant info to various users & this feature could allow users to save time by clicking on a link in that email to get right to the spot where they need to be in the application.