Re: How to ensure only HTTP requests from the device can be accepted in a web app?
On Mon, Nov 8, 2010 at 3:56 PM, Ian Stirling wrote: > Yeah - seems more sane to apply it on a per-user basis, as a filter at the > server, unless I'm missing something. I was just thinking to use some kind of a real detail to make life easier for the users so they won't have to fight with Captcha's and thus protecting spam registration to the service in an easier way than responding to a captcha on the device itself. I wonder if there is some kind of a detail that cannot be faked by spammers that I could use as an authenticator. That is - I do not really require a specific user id, just a way to prevent spam and bot activity since the service will be used for statistical data. -Sivan > > > As simple as go to the firmware download page (with a script) enter the IMEI > the user supplies, see if it authenticates. Right, a web scrape hack. Yuck! ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: How to ensure only HTTP requests from the device can be accepted in a web app?
Sivan Greenberg wrote: On Mon, Nov 8, 2010 at 2:27 PM, Ian Stirling wrote: Firstly - why on earth do you care? If a user is authenticated, why does it matter if they are breaking any agreements they may have made with you to only access content on their n900. Never post to public list when you are going over your 5 tasks in the same time limit. This is perfectly true and holds! Moreover, the client for the service would only run on the N900 (well until I develop a desktop version of it) . but for all purpose a user account would suffice. Yeah - seems more sane to apply it on a per-user basis, as a filter at the server, unless I'm missing something. The silly hack that comes to mind is to go to the firmware download page, and use that as an authenticator, but that would be insane. Out of *pure* technical curiosity how would that work? I mean, how can I ask tablets-dev to authorize someone when it authorizes it due to knowing that IMEI he/she provided is indeed a nokia device? As simple as go to the firmware download page (with a script) enter the IMEI the user supplies, see if it authenticates. Though not specifically answering that point, I suggest http://laforge.gnumonks.org/weblog/gsm/ http://threatpost.com/en_us/blogs/researchers-hijack-cell-phone-data-gsm-locations-042110 Also - you can bar the phone in many instances with only the IMEI, by reporting it stolen. My concern is not so much that you might do something nefarious - but that you might screw up, and my IMEI turns up along with my name, address, and possibly CC/paypal details on thieftorrent. There are - as I understand it - limited attacks that are possible using the IMEI at the moment. GSM very much is not designed as a secure protocol, so I wonder if with the increasing ease of access, if that will remain so. Also - as a user, I would be hesitant at giving out my IMEI. While there are few risks at the moment, open-source GSM platforms are becoming available to the hacker community, and the protocol was not really designed for security. I never gave thought to this, what would it help in abuse to have your IMEI ? I will note that http://www.omniqueue.com/ shows a pleasing sparseness of design, that many websites would do well to imitate. Thanks! I try ;-) Even if it had a design it would most probably be very minimalistic on the brink of a text document No flash ads, no slow javascript, and at 0 bytes, quick to transfer! Cellular data consumer kept in mind! :-p Cheers, -Sivan ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: How to ensure only HTTP requests from the device can be accepted in a web app?
On Mon, Nov 8, 2010 at 2:27 PM, Ian Stirling wrote: > Firstly - why on earth do you care? > If a user is authenticated, why does it matter if they are breaking any > agreements they may have made with you to only access content on their n900. Never post to public list when you are going over your 5 tasks in the same time limit. This is perfectly true and holds! Moreover, the client for the service would only run on the N900 (well until I develop a desktop version of it) . but for all purpose a user account would suffice. > > The silly hack that comes to mind is to go to the firmware download page, > and use that as an authenticator, but that would be insane. Out of *pure* technical curiosity how would that work? I mean, how can I ask tablets-dev to authorize someone when it authorizes it due to knowing that IMEI he/she provided is indeed a nokia device? > > Also - as a user, I would be hesitant at giving out my IMEI. > While there are few risks at the moment, open-source GSM platforms are > becoming available to the hacker community, and the protocol was not really > designed for security. I never gave thought to this, what would it help in abuse to have your IMEI ? > > I will note that http://www.omniqueue.com/ shows a pleasing sparseness of > design, that many websites would do well to imitate. Thanks! I try ;-) Even if it had a design it would most probably be very minimalistic on the brink of a text document > > No flash ads, no slow javascript, and at 0 bytes, quick to transfer! > Cellular data consumer kept in mind! :-p Cheers, -Sivan ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: How to ensure only HTTP requests from the device can be accepted in a web app?
Sivan Greenberg wrote: Hi list, I'm developing and application that sends very small amounts of data over HTTP ReST to an http server, and want to restrict request to those only coming from the device itself (the N900 running Maemo/MeeGo). This will be of-course complemented with a user login and limitation of how many "pings" such a user can do to the server a day. What would be the way to achieve this? Has anyone done/ tried something like this before? (I thought about reading some hardware identified off the device, but then again- how do I make sure an IMEI is an RX-51 one? Several issues occur. Firstly - why on earth do you care? If a user is authenticated, why does it matter if they are breaking any agreements they may have made with you to only access content on their n900. Bearing in mind that the absolute maximum possible deterrance is the cost of a 'new' n900 on ebay. The silly hack that comes to mind is to go to the firmware download page, and use that as an authenticator, but that would be insane. Also - as a user, I would be hesitant at giving out my IMEI. While there are few risks at the moment, open-source GSM platforms are becoming available to the hacker community, and the protocol was not really designed for security. I will note that http://www.omniqueue.com/ shows a pleasing sparseness of design, that many websites would do well to imitate. No flash ads, no slow javascript, and at 0 bytes, quick to transfer! ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
How to ensure only HTTP requests from the device can be accepted in a web app?
Hi list, I'm developing and application that sends very small amounts of data over HTTP ReST to an http server, and want to restrict request to those only coming from the device itself (the N900 running Maemo/MeeGo). This will be of-course complemented with a user login and limitation of how many "pings" such a user can do to the server a day. What would be the way to achieve this? Has anyone done/ tried something like this before? (I thought about reading some hardware identified off the device, but then again- how do I make sure an IMEI is an RX-51 one? Your response highly appreciated, -Sivan ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers