[maemo-developers] How to ensure only HTTP requests from the device can be accepted in a web app?
From: Ian Stirling maemo at mauve.plus.comDate: Mon Nov 8 15:56:45 EET 2010
- Previous message: How to ensure only HTTP requests from the device can be accepted in a web app?
- Next message: How to ensure only HTTP requests from the device can be accepted in a web app?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sivan Greenberg wrote: > On Mon, Nov 8, 2010 at 2:27 PM, Ian Stirling <maemo at mauve.plus.com> wrote: >> Firstly - why on earth do you care? >> If a user is authenticated, why does it matter if they are breaking any >> agreements they may have made with you to only access content on their n900. > > Never post to public list when you are going over your 5 tasks in the > same time limit. This is perfectly true and holds! Moreover, the > client for the service would only run on the N900 (well until I > develop a desktop version of it) . but for all purpose a user account > would suffice. Yeah - seems more sane to apply it on a per-user basis, as a filter at the server, unless I'm missing something. >> The silly hack that comes to mind is to go to the firmware download page, >> and use that as an authenticator, but that would be insane. > > Out of *pure* technical curiosity how would that work? I mean, how can > I ask tablets-dev to authorize someone when it authorizes it due to > knowing that IMEI he/she provided is indeed a nokia device? As simple as go to the firmware download page (with a script) enter the IMEI the user supplies, see if it authenticates. Though not specifically answering that point, I suggest http://laforge.gnumonks.org/weblog/gsm/ http://threatpost.com/en_us/blogs/researchers-hijack-cell-phone-data-gsm-locations-042110 Also - you can bar the phone in many instances with only the IMEI, by reporting it stolen. My concern is not so much that you might do something nefarious - but that you might screw up, and my IMEI turns up along with my name, address, and possibly CC/paypal details on thieftorrent. There are - as I understand it - limited attacks that are possible using the IMEI at the moment. GSM very much is not designed as a secure protocol, so I wonder if with the increasing ease of access, if that will remain so. >> Also - as a user, I would be hesitant at giving out my IMEI. >> While there are few risks at the moment, open-source GSM platforms are >> becoming available to the hacker community, and the protocol was not really >> designed for security. > > I never gave thought to this, what would it help in abuse to have your IMEI ? > >> I will note that http://www.omniqueue.com/ shows a pleasing sparseness of >> design, that many websites would do well to imitate. > > Thanks! I try ;-) Even if it had a design it would most probably be > very minimalistic on the brink of a text document.... > > >> No flash ads, no slow javascript, and at 0 bytes, quick to transfer! >> > Cellular data consumer kept in mind! :-p > > > Cheers, > > -Sivan >
- Previous message: How to ensure only HTTP requests from the device can be accepted in a web app?
- Next message: How to ensure only HTTP requests from the device can be accepted in a web app?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]