Open GoogleCodeExporter opened 9 years ago
Yup, it would be nice.
Self-signed certs could be used, and to make it secure (prefenting spoofing)
the app would show you the cert's fingerprint on the phone screen and asking
you to confirm that it's the same in the browser.
If they don't match, somebody is trying to spoof it.
(And don't use MD5 or other weak crypto in the certs!)
Original comment by natanae...@gmail.com
on 13 Oct 2010 at 4:27
Looks reasonable. Though it can be used only by advanced users as the browser
scary dialog will frighten most of normal ones and they will not pass through
it. I can't embed the private key in the app as it can be extracted by anyone.
Need to investigate how can I generate key/certificate pairs on the device and
use SSL.
Original comment by Ivan.Volosyuk
on 28 Nov 2010 at 5:57
I'm not sure how to implement this, but wouldn't you want to display a QR code
on the screen of the controlling system with the IP information and an
encryption key?
Original comment by lee.colleton
on 13 Dec 2010 at 10:18
[deleted comment]
@Comment 2
You can use external file
Original comment by gli...@gmail.com
on 3 Apr 2011 at 12:41
Re: #3: I guess that's a bit pointless. Showing a Qr code on the screen before
the SSL certificate is activated is useless because you then won't know if the
activated SSL cert is the right one (unless you add a step afterwards, making
the Qr code worthless). If you do it afterwards you will already have had to
accept the cert. And anything that not includes taking a look at what cert the
browser sees is meaningless, and we can't easily do that with a Qr code.
So just tell the user to compare the SSL cert in the browser with that of the
phone.
Original comment by natanae...@gmail.com
on 3 Apr 2011 at 12:55
A possible workaround for self-signed certificates is to set up a trusted
server to provide the HTML/JS to the browser (I'm quite sure
http://www.startssl.com/ free certificates are trusted by Android).
Local communication can then be encrypted with JS with the key being shared by
QR code / screen display + typing in order to prevent MITM attacks.
AES has been implemented JS - research how to use it to provide a stream to XOR
with whatever is typed or just work with it as a block cipher and pad
everything with null bytes; it's over local WiFi so network speed won't be as
much of a limitation.
Original comment by ar...@oonix.com.au
on 30 Dec 2011 at 9:40
[deleted comment]
Hallo Ivan!
That would be a very nice feature. It would be good to know that my typing is
secure, when I am in my office network.
Best regards
Dirk
Original comment by dirk...@gmail.com
on 17 Mar 2014 at 9:56
I would say most people using this app are quite advanced ;)
So showing the fingerprint and explaining a little should be good enough.
Please impending HTTPS!
greetz
Jonny007
Original comment by Jonny007...@gmail.com
on 16 Jun 2014 at 8:43
Original issue reported on code.google.com by
jpfra...@gmail.com
on 10 Oct 2010 at 10:32