<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Jun 20, 2013, at 10:56 AM, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 5:54 PM, Kris Borchers <span dir="ltr"><<a href="mailto:kris@redhat.com" target="_blank">kris@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><div class="im"><div>On Jun 20, 2013, at 10:49 AM, Matthias Wessendorf <<a href="mailto:matzew@apache.org" target="_blank">matzew@apache.org</a>> wrote:</div>
<br><blockquote type="cite"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 5:46 PM, Kris Borchers <span dir="ltr"><<a href="mailto:kris@redhat.com" target="_blank">kris@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><div><div>On Jun 20, 2013, at 10:34 AM, Matthias Wessendorf <<a href="mailto:matzew@apache.org" target="_blank">matzew@apache.org</a>> wrote:</div>
<br><blockquote type="cite"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 5:32 PM, Kris Borchers <span dir="ltr"><<a href="mailto:kris@redhat.com" target="_blank">kris@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><br>
On Jun 20, 2013, at 10:28 AM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>> wrote:<br>
<br>
> Just one addition <a href="http://tools.ietf.org/html/rfc2617#section-4" target="_blank">http://tools.ietf.org/html/rfc2617#section-4</a><br>
<br>
</div>Right … even on the iOS and Android side of things, it is still very easy to "decrypt" a base64 encoded string. Using HTTPS would help but that is not foolproof either so we may want to think of some other method.<br>
</blockquote><div><br></div><div><br></div><div>sure - and nothing new here :) </div><div>But better than nothing, for now <br></div></div></div></div></blockquote><div><br></div></div>Not sure I agree … seems like a waste if we know we won't use it in the future. Might as well have Bruno working on something real and get that in for August rather than just sitting on something that isn't right.</div>
</div></blockquote><div><br></div><div>Ok,.. should I remove the security work I did ? wondering why there was no feedback on the actual thread </div></div></div></div></blockquote><div><br></div></div>Not sure which thread but honestly it's hard to respond to everything. I try to read and respond but I'm working on lots of things other than push right now so I'll admit that I skim through a lot of the multiple MLs I subscribe to in order to be able to actually get work done. Otherwise I could end up just reading/replying to e-mail all day.</div>
</div></blockquote><div><br></div><div><br></div><div style="">Ok.</div><div style=""><br></div><div style="">I have two options:</div><div style="">* keep the http_basic, and improve in the next weeks</div></div></div></div></blockquote><div><br></div>I guess keep it if you're not removing it for the other clients. The JS client will need to be updated.<br><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div style="">* remove the http_basic for SimplePush, and wait for something real there.</div>
<div style=""><br></div><div style="">-Matthias</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">
<div><div class="h5"><br><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div><br><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>><br>
> Bruno Oliveira wrote:<br>
>> Don't feel safe because you're doing something with Base64 or using<br>
>> basic authentication. It doesn't guarantee safety, the HTTP Basic<br>
>> Authentication scheme is not considered a secure method without TLS/SSL,<br>
>> because username and password are passed over the network in cleartext.<br>
>><br>
>> For this reason we will replace it with Digest or Hawk into the near<br>
>> future.<br>
>><br>
>> Matthias Wessendorf wrote:<br>
>>> Hi,<br>
>>><br>
>>> with the use of this helper<br>
>>> <<a href="https://github.com/davidchambers/Base64.js" target="_blank">https://github.com/davidchambers/Base64.js</a>>, it is "safe" (I think) to<br>
>>> use the |window.btoa| function(see details<br>
>>> <<a href="https://developer.mozilla.org/en-US/docs/Web/API/window.btoa" target="_blank">https://developer.mozilla.org/en-US/docs/Web/API/window.btoa</a>>), to<br>
>>> perform a (simple) Base64 encoding.<br>
>>><br>
>>> Base64 encoding is required, since the "Device Registration" HTTP REST<br>
>>> endpoint now uses HTTP_Basic (for details see the matching thread<br>
>>> <<a href="http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html" target="_blank">http://lists.jboss.org/pipermail/aerogear-dev/2013-June/003233.html</a>>).<br>
>>><br>
>>> Currently we perform this code for "channel registration":<br>
>>><br>
>>> |$.ajax({<br>
>>> contentType:"application/json",<br>
>>> dataType:"json",<br>
>>> type:"POST",<br>
>>> url: url,<br>
>>> headers: {<br>
>>> "ag-mobile-variant": variantID<br>
>>> },<br>
>>> data: JSON.stringify({<br>
>>> category: messageType,<br>
>>> deviceToken: endpoint.channelID,<br>
>>> clientIdentifier: alias<br>
>>> })<br>
>>> });<br>
>>> |<br>
>>><br>
>>> As mentioned on the "Security thread", the |variantID| is no longer a<br>
>>> header, it is part of the HTTP_Basic auth process.<br>
>>><br>
>>> This is a (local) JavaScript change that I did. It works fine so far:<br>
>>><br>
>>> |$.ajax({<br>
>>> contentType:"application/json",<br>
>>> dataType:"json",<br>
>>> type:"POST",<br>
>>> crossDomain: true,<br>
>>> url: url,<br>
>>> headers: {<br>
>>> "Authorization":"Basic" + window.btoa(variantID +":" + secret)<br>
>>> },<br>
>>> data: JSON.stringify({<br>
>>> category: messageType,<br>
>>> deviceToken: endpoint.channelID,<br>
>>> alias: alias ///// NOTE:: the key has changed..........<br>
>>> })<br>
>>> });<br>
>>> |<br>
>>><br>
>>> The important thing: we add the |"Authorization": "Basic "| header and<br>
>>> using the mentioned|window.btoa()| function for the actual encoding.<br>
>>><br>
>>> The same applies for the |DELETE| (unregistration).<br>
>>><br>
>>> Any thoughts? Otherwise, I'd send a PR.<br>
>>><br>
>>> Ah.... the dependency agains the |Base64.js| polyfill library<br>
>>> would/should be included in our "grunt" build for "distribution", or<br>
>>> would it be "just" declared (yeah, that's details but asking for<br>
>>> curiousity)<br>
>>><br>
>>><br>
>>> --<br>
>>> Matthias Wessendorf<br>
>>><br>
>>> blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
>>> sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
>>> twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
>>><br>
>>> _______________________________________________<br>
>>> aerogear-dev mailing list<br>
>>> <a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
>><br>
><br>
> --<br>
> abstractj<br>
><br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div><br></div><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div></div><br></div><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>https://lists.jboss.org/mailman/listinfo/aerogear-dev</blockquote></div><br></body></html>