https?

[GoogleCodeExporter]

what about https, so that no-one can listen to your typing? (for instance, if 
you're in a public wlan)

Original issue reported on code.google.com by jpfra...@gmail.com on 10 Oct 2010 at 10:32

[GoogleCodeExporter]

Yup, it would be nice.

Self-signed certs could be used, and to make it secure (prefenting spoofing) 
the app would show you the cert's fingerprint on the phone screen and asking 
you to confirm that it's the same in the browser.
If they don't match, somebody is trying to spoof it.

(And don't use MD5 or other weak crypto in the certs!)

Original comment by natanae...@gmail.com on 13 Oct 2010 at 4:27

[GoogleCodeExporter]

Looks reasonable. Though it can be used only by advanced users as the browser 
scary dialog will frighten most of normal ones and they will not pass through 
it. I can't embed the private key in the app as it can be extracted by anyone. 
Need to investigate how can I generate key/certificate pairs on the device and 
use SSL.

Original comment by Ivan.Volosyuk on 28 Nov 2010 at 5:57

• Changed state: Accepted

[GoogleCodeExporter]

I'm not sure how to implement this, but wouldn't you want to display a QR code 
on the screen of the controlling system with the IP information and an 
encryption key? 

Original comment by lee.colleton on 13 Dec 2010 at 10:18

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

@Comment 2
You can use external file

Original comment by gli...@gmail.com on 3 Apr 2011 at 12:41

[GoogleCodeExporter]

Re: #3: I guess that's a bit pointless. Showing a Qr code on the screen before 
the SSL certificate is activated is useless because you then won't know if the 
activated SSL cert is the right one (unless you add a step afterwards, making 
the Qr code worthless). If you do it afterwards you will already have had to 
accept the cert. And anything that not includes taking a look at what cert the 
browser sees is meaningless, and we can't easily do that with a Qr code.

So just tell the user to compare the SSL cert in the browser with that of the 
phone.

Original comment by natanae...@gmail.com on 3 Apr 2011 at 12:55

[GoogleCodeExporter]

A possible workaround for self-signed certificates is to set up a trusted 
server to provide the HTML/JS to the browser (I'm quite sure 
http://www.startssl.com/ free certificates are trusted by Android).

Local communication can then be encrypted with JS with the key being shared by 
QR code / screen display + typing in order to prevent MITM attacks.

AES has been implemented JS - research how to use it to provide a stream to XOR 
with whatever is typed or just work with it as a block cipher and pad 
everything with null bytes; it's over local WiFi so network speed won't be as 
much of a limitation.

Original comment by ar...@oonix.com.au on 30 Dec 2011 at 9:40

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Hallo Ivan!

That would be a very nice feature. It would be good to know that my typing is 
secure, when I am in my office network.

Best regards
Dirk

Original comment by dirk...@gmail.com on 17 Mar 2014 at 9:56

[GoogleCodeExporter]

I would say most people using this app are quite advanced ;)
So showing the fingerprint and explaining a little should be good enough.
Please impending HTTPS!

greetz
Jonny007

Original comment by Jonny007...@gmail.com on 16 Jun 2014 at 8:43