Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

[Implemented] SSL Encryption?

edited January 2013 in Feature Requests
Can we have SSL encryption for remote messages?

I want to be able to use Remote Messages over the Internet and over untrusted WiFi networks. However, everything is currently transmitted in plain text over the network. This exposes everything to any observer, including usernames, passwords, contacts, message contents, and anything else.

Comments

  • edited December 2012
    Just a quick response to allay some fears. The username and password you login to Remote Messages with is not sent in plain text. It uses the RFC2617 standard (http://en.wikipedia.org/wiki/Digest_access_authentication) which basically only transmits 1 way hashes across the network for authentication.

    As for the other points (messages and contacts), these are transmitted unencrypted at the moment. We are looking into SSL support however it is no silver bullet as it is still vulnerable to MITM attacks and the like. Furthermore we would have to generate our own SSL certificates on the fly as your domain name is likely to change (I.E it won't be from a trusted source and your browser will spit out horrible warnings about going to an insecure website).

    Non the less, it is something we are looking into.
    -Alex
  • Okay, but the authentication tokens can be sniffed and replayed over the network trivially, tricking the phone into letting anyone in.

    I think users who wish to turn on an SSL toggle can be expected to verify the self-signed certificate's fingerprint manually and accept it despite the browser warnings. Especially if the settings user interface tells them to expect it.
  • To clarify, not trying to spread FUD. You guys have done a great job creating a product for casual use over home WiFi. I am just hoping for more hardcore/pro functionality for those of us who can handle it. ;)
  • AlAl
    edited December 2012
    If I was setting up remote access like this, I'd probably forward port 22, then at my remote location authenticate securely over that and tunnel port 333 via PuTTY. It should be just as secure as SSH then.
    Alternatively, a VPN solution may be worth looking at if you do this frequently.

    That being said, SSL would be a nice addition to the bundle, even if it's not a perfect solution.
  • edited January 2013
    FYI an experimental version of SSL encryption has been incorporated into the newly released Remote Messages v1.1.1
  • Thanks so much guys! I have SSL enabled over here and it's working like a charm.

    It's a huge testament to your company and your product that you have responded so quickly to customer feedback. I, for one, applaud you. :)
  • Thanks!

    Just out of interest how did you find RM? We've got really low exposure at the moment, I don't think many people even know it exists.
  • Hi AlexMarkley,

    Can you tell me on which setup you managed to have this working? I'm on Win 7, tried Chrome, FF, and IE, but nothing gets me passed the "establishing secure connection", which hangs and fails.
  • (note: I do have OpenSSL installed in Cydia, and RM works fine over http)
  • Well, I managed to have it working (in Chrome), by disabling than re-enabling "Use SSL", then by disabling and re-enabling RM itself :)
  • It takes a little while to generate a certificate on your device, so that could have been the issue.
  • I was having troubles connecting and realize that I had to type in HTTPS:// before the IP address in order to make this work
Sign In or Register to comment.