Obfuscation of url LINKS - Pitch in ?

ACDC

I think this is excellent, its a step in the right direction, the ultimate would of course be the e2 function 128bit encryption. As much as it is easy to decode its still better than an exposed link - there are numerous reasons for this

As to whether this is only for a guest login, no .... its for any url that is sent to a user of the system

I think mailing embedding passwords in a link is totally wrong and a bad practice.Communication of any password should force the user to go through a reset of the password when logging in for the first time. This way the password always remains secure

If a NON guest user is sent a link then they must login first and then connect to the link, (that's if they are not already logged IN ). If you are mailing a Guest user and you require security around the process then they should not be a Guest user. However there could be a case where a Guest user can second guess other records from the make up of the url and access these records (like getting a list of the users being mailed)

I see this encryption purely for the purpose of hiding the process from anyone wanting to snoop and poke around and got nothing to do with protecting passwords. This goes for all users

One of the other things that come to mind is the use of PROTECT as a mechanism to secure data from other users. What if I am using one of the "Make Invisible" or "Hide" or "Applicability" features, does this have the same PROTECT vale of security - I don't think so (maybe support can confirm) But if this is the case a user with a valid login could begin to snoop around the system by second guessing custom url LINKS. That includes custom buttons and url links on forms

nlarson

ACDC wrote
I think mailing embedding passwords in a link is totally wrong and a bad practice.Communication of any password should force the user to go through a reset of the password when logging in for the first time.

I agree with your concept 100% - but I don't see how it can be implemented without a straight forward and officially supported methodology for SSL encryption in AwareIM. Without SSL Passwords are sent in clear text every time a user logs in, might as well email them, it's the exact same thing.

The hide/applicability should not be considered secure; the data is sent to the client but not rendered by the browser. Also Protect, does not work for documents so that is only partially secure.

ACDC

Nlarson wrote:

but I don't see how it can be implemented without a straight forward and officially supported methodology for SSL encryption in AwareIM.

I use SSL encryption all the time, I am not sure what you mean by an officially supported methodology, but its very easy to setup SSL on Awareim, what more do you need ?

nlarson

ACDC wrote
I use SSL encryption all the time, I am not sure what you mean by an officially supported methodology, but its very easy to setup SSL on Awareim, what more do you need ?

I have been struggling to get it working, but will continue to have at it; the post I am working from is a few years old so good to know it is still relevant.

By officially supported I mean a method that does not get 'wiped out' and require the heavy effort I have put in by each Aware upgrade, i.e. a feature of Aware.

My understanding is that the setting will not endure an upgrade, is that not the case? I am not looking to be a stick in the mud on this subject, so if I am mistaken that would be welcome news 🙂

ACDC

There is always going to be customised settings and the way to handle this is to keep a directory of the changes that need to take place and when doing the upgrade copy over the files into the new install, This is very painful I know but in the bigger scheme of things the time saved using this development tool far outweighs the effort to copy over the custom settings on every upgrade.

SSL is part of the Tomcat setup

If you want to get SSL going check this link out (BTW you don't have to subscribe to an authenticator to get a secure link in place)

ACDC

SSL is part of the Tomcat setup

If you want to get SSL going check this link out (BTW you don't have to subscribe to an authenticator to get a secure link in place)

hpl123

ACDC wrote
(BTW you don't have to subscribe to an authenticator to get a secure link in place)

ACDC, what did you mean here? Is it possible to get https/SSL without using a authenticator?

ACDC

What I meant was that you don't have to subscribe to a third party issuer to get SSL working.

This would however result in the user at time of login getting a warning that the link has not been verified , but once the user has accepted the status, then the warning in future normally does not appear again and the SSL link will prevail

So you basically end up managing your own fake certificate from your server

Obviously this is not the right way to do things, but it serves the purpose of a secure link for testing or for use in a controlled user base and where you may be using a ip address in the url as opposed to a domain name

If you google "install ssl without certificate" you will find a lot more information on the topic

ACDC

What I meant was that you don't have to subscribe to a third party issuer to get SSL working.

So you basically end up managing your own fake certificate from your server

If you google "install ssl without certificate" you will find a lot more information on the topic

hpl123

Ok, thanks for the clarification.

aware_support

5.7 supports encryption of links using two new functions ENCRYPT_B64 and DECRYPT_B64

See more details in the 5.7 User Guide

Rennur

Anyone used this FUNCTION yet?

BobK

Hi Rennur,

I have tested the encryption of links and here is how I did it:

I created a new Business Object with 2 Plain Text fields, ClearURL and EncryptedURL and 1 rule;
If Encryption.ClearURL WAS CHANGED Then
Encryption.EncryptedURL=ENCRYPT_B64(Encryption.ClearURL)
This BO is used just to encrypt the URL.

After publishing, I created an instance of the Encryption object and entered the following part of the URL I wanted encrypted in the ClearURL field:
domain=myDomain&userName=theUser&password=thePassword&firstCommand=startProcessWithInit,CreateData,main,InputData&Cost=$21.95&Name=Test Test&OnOffOption=OFF
and the encrypted URL was calculated and displayed in the EncryptedURL field.

I then added a link in an html page with: http://myserver/AwareIM/logonOp.aw?e=the actual Encrypted URL from the EncryptedURL field

When I clicked on the link, AwareIM automatically decrypted the URL, I was logged into Aware and my CreateData process was executed with the supplied values.

ACDC

I then added a link in an html page with: http://myserver/AwareIM/logonOp.aw?e=the actual Encrypted URL from the EncryptedURL field

Bob
are you sure this is the complete url , as i tried to decrypt this and it failed

ACDC

if that is the case then there is true encryption taking place as opposed to plain old obfuscation, thats music to my ears..well hopefully!

tford

I have not yet explored the new features, but I'm wondering if this could be used in association with the Google/Facebook/Twitter login feature.

For example, if you want to send someone a link to edit or view something & you assume your user is already logged into Google. If you have Google login enabled in your app, they I wonder if this encrypted link will open the item directly without having to specifically log in to AwareIM.

BobK

I did not post the actual encrypted string, it is rather long. I will post it now along with more details.

If the actual URL was: http://myserver/AwareIM/logonOp.aw?domain=myDomain&userName=theUser&password=thePassword&firstCommand=startProcessWithInit,CreateData,main,InputData&Cost=$21.95&Name=Test Test&OnOffOption=OFF

From my meager knowledge of how the internet works, I assume the first part (http://myserver/AwareIM/logonOp.aw?) should not be encrypted.

So my ClearURL was populated with the rest of the string: domain=myDomain&userName=theUser&password=thePassword&firstCommand=startProcessWithInit,CreateData,main,InputData&Cost=$21.95&Name=Test Test&OnOffOption=OFF

The encrypted string was computed to be:
FxkUAB1eSS0NNxsbURoYXxQHVQYOFR4RS0QbEywSEUJSMBUABwFfARJEFRxVJCEHAAMZQhdQHwgGQwADGx4ZF14XSwoVFUIAEAYcFxNDACEQFRx5GikAXzcEVRICHCUVRBVsGRIdGBw6GAkUAHQVNBVVNxlDB0tdU0UeTXVSPRUbVU4iHBIAECAlBwdSOV48EB8uBEQdLxpOOzB2

So the link on my html page was
http://myserver/AwareIM/logonOp.aw?e=FxkUAB1eSS0NNxsbURoYXxQHVQYOFR4RS0QbEywSEUJSMBUABwFfARJEFRxVJCEHAAMZQhdQHwgGQwADGx4ZF14XSwoVFUIAEAYcFxNDACEQFRx5GikAXzcEVRICHCUVRBVsGRIdGBw6GAkUAHQVNBVVNxlDB0tdU0UeTXVSPRUbVU4iHBIAECAlBwdSOV48EB8uBEQdLxpOOzB2

ACDC

Thanks for the clarification, I have tried to decrypt your encrypted url on a number of online Base64 decrypt sites and still don't have any success.

So this seems to confirm that there is additional encryption taking place on the server which therefore makes it more secure than plain base64 encrypt

nlarson

that would be welcome news!

hpl123

ACDC wrote
Thanks for the clarification, I have tried to decrypt your encrypted url on a number of online Base64 decrypt sites and still don't have any success.

So this seems to confirm that there is additional encryption taking place on the server which therefore makes it more secure than plain base64 encrypt

Welcome news indeed if so. Support, can you verify if/that this is the case?
Thanks

« Previous Page Next Page »