<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 5:32 PM, Kris Borchers <span dir="ltr"><<a href="mailto:kris@redhat.com" target="_blank">kris@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
On Jun 20, 2013, at 10:28 AM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>> wrote:<br>
<br>
> Just one addition <a href="http://tools.ietf.org/html/rfc2617#section-4" target="_blank">http://tools.ietf.org/html/rfc2617#section-4</a><br>
<br>
</div>Right … even on the iOS and Android side of things, it is still very easy to "decrypt" a base64 encoded string. Using HTTPS would help but that is not foolproof either so we may want to think of some other method.<br>
</blockquote><div><br></div><div><br></div><div style>sure - and nothing new here :) </div><div style>But better than nothing, for now <br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">><br>
> Bruno Oliveira wrote:<br>
>> Don't feel safe because you're doing something with Base64 or using<br>
>> basic authentication. It doesn't guarantee safety, the HTTP Basic<br>
>> Authentication scheme is not considered a secure method without TLS/SSL,<br>
>> because username and password are passed over the network in cleartext.<br>
>><br>
>> For this reason we will replace it with Digest or Hawk into the near<br>
>> future.<br>
>><br>
>> Matthias Wessendorf wrote:<br>
>>> Hi,<br>
>>><br>
>>> with the use of this helper<br>
>>> <<a href="https://github.com/davidchambers/Base64.js" target="_blank">https://github.com/davidchambers/Base64.js</a>>, it is "safe" (I think) to<br>
>>> use the |window.btoa| function(see details<br>
>>> <<a href="https://developer.mozilla.org/en-US/docs/Web/API/window.btoa" target="_blank">https://developer.mozilla.org/en-US/docs/Web/API/window.btoa</a>>), to<br>
>>> perform a (simple) Base64 encoding.<br>
>>><br>
>>> Base64 encoding is required, since the "Device Registration" HTTP REST<br>
>>> endpoint now uses HTTP_Basic (for details see the matching thread<br>
>>> <<a href="http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html" target="_blank">http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html</a>>).<br>
>>><br>
>>> Currently we perform this code for "channel registration":<br>
>>><br>
>>> |$.ajax({<br>
>>> contentType:"application/json",<br>
>>> dataType:"json",<br>
>>> type:"POST",<br>
>>> url: url,<br>
>>> headers: {<br>
>>> "ag-mobile-variant": variantID<br>
>>> },<br>
>>> data: JSON.stringify({<br>
>>> category: messageType,<br>
>>> deviceToken: endpoint.channelID,<br>
>>> clientIdentifier: alias<br>
>>> })<br>
>>> });<br>
>>> |<br>
>>><br>
>>> As mentioned on the "Security thread", the |variantID| is no longer a<br>
>>> header, it is part of the HTTP_Basic auth process.<br>
>>><br>
>>> This is a (local) JavaScript change that I did. It works fine so far:<br>
>>><br>
>>> |$.ajax({<br>
>>> contentType:"application/json",<br>
>>> dataType:"json",<br>
>>> type:"POST",<br>
>>> crossDomain: true,<br>
>>> url: url,<br>
>>> headers: {<br>
>>> "Authorization":"Basic" + window.btoa(variantID +":" + secret)<br>
>>> },<br>
>>> data: JSON.stringify({<br>
>>> category: messageType,<br>
>>> deviceToken: endpoint.channelID,<br>
>>> alias: alias ///// NOTE:: the key has changed..........<br>
>>> })<br>
>>> });<br>
>>> |<br>
>>><br>
>>> The important thing: we add the |"Authorization": "Basic "| header and<br>
>>> using the mentioned|window.btoa()| function for the actual encoding.<br>
>>><br>
>>> The same applies for the |DELETE| (unregistration).<br>
>>><br>
>>> Any thoughts? Otherwise, I'd send a PR.<br>
>>><br>
>>> Ah.... the dependency agains the |Base64.js| polyfill library<br>
>>> would/should be included in our "grunt" build for "distribution", or<br>
>>> would it be "just" declared (yeah, that's details but asking for<br>
>>> curiousity)<br>
>>><br>
>>><br>
>>> --<br>
>>> Matthias Wessendorf<br>
>>><br>
>>> blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
>>> sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
>>> twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
>>><br>
>>> _______________________________________________<br>
>>> aerogear-dev mailing list<br>
>>> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
>><br>
><br>
> --<br>
> abstractj<br>
><br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>