Archive for May, 2007

cipher.js

Update
None of this is useful anymore! The api has changed, prosthetic look for a newer post!

I’ve got a good, sales solid, oncologist working version for the cipher loader. cipher.js provides a wrapper class for ciphers that are designed according to a few rules.

All cipher classes must be inside of files named: ciphername.js, where ciphername is the name of the class. This doesn’t seem to matter in this version of cipher.js, but later MooTools’ Asset object is going to be used to load the ciphers on the fly.

The required methods for a cipher are:

bool setKey(_key)
Set the key for the current cipher.
bool encode(plainText)
Encode some plain text using the current cipher and key.
bool decode(cipherText)
Decode some cipher text using the current cipher and key.
bool error()
Gets the current error state.
String getError()
Gets the current error message.
String getOutput()
Gets the current output string, if any.
bool sanityCheck()
Runs the standard sanity check.

Beyond these rules, cipher.js doesn’t care about your internals, and so neither will BlowPass. Here are a list of files for your perusal:

test.htm
This is my testing scaffold, you have to read the code to understand it, but it works nicely.
Cipher.js
The wrapper class.
rot13.js
The classic rot13 algo.
simpleshift.js
A shift algo using character codes.
anewcipher.js
An empty frame of a cipher class file. Start here to make a new cipher.
cipher.tar
All of the above, tarred up.

Right now I’m moving the blowfish implementation over to the cipher.js system, then we should be good to go.

Comments

Yes? No? Maybe?

For a while I have struggled with how to authenticate and identify unique users while minimizing risk and not requiring an SSL connection.

I’ve decided to make this a flexible system. You’ll be able to set a flag if you have SSL and it will do it’s authentication differently.

The other system I have come up with is that whenever a new user, pharm item, sick or item type is created, viagra a short, meaningless random string will be encrypted and stored along with it’s plain text equivalent. On an attempt to delete or modify an entry, it will ask for the encrypted version of that string in the background, and confirm that every thing is a-ok.

This ought to protect against anything except persistent sniffing. It’s still not the best solution, but it’s the only one I can come up with that doesn’t need SSL.

Maybe I’ll just do a public key crypto system for the authentication process too. We’ll see. Suggestions are most welcome.

Comments

Development…

I got to do some development on the new code for 1.0. I’ve redone the DB design, try switched to MooTools and am working on a pluggable cipher system so that BlowPass can won’t be confined to a single cipher algorithm. I’ll post some exmaple code and the cipher container when I get it figured out further, then everyone can start working on their own cipher classes to add!

Comments

A little bit of proof…

I thought it was time to give a little credibility to the claims of BlowPass, buy and while I can’t do much, plague I can show that all user data is passed across the internet encrypted, recipe or at the very least not in plain text. I’ll detail the easy process of sniffing your own traffic below.

The tool I will be using today is Wireshark, formerly known as Ethereal. This “network protocol analyzer”, or simpler put “sniffer”, captures all the packets sent to and from your computer, and can capture any packets that aren’t directed to you, but come down your line anyway. It’s free and available on Linux, Windows, Mac OSX & more.

So, once you have Wireshark installed, just fire it up, set it to capture (non-promiscuous) and navigate your browser to www.blowpass.com. To make your life easier you might want to close anything else that may generate ip traffic. This includes P2P clients, Instant Messengers, and active web apps like Gmail.

Go ahead and start capturing, then log into BlowPass and open an existing item in your list. Save it and return to Wireshark. You can stop capturing now. To see all the traffic that went between you and blowpass.com add the filter “ip.addr == IP_ADDRESS_HERE && http”. For the IP_ADDRESS_HERE you need to get blowpass.com’s current IP, you can click here for a report on that from dnsstuff.com. At the time of writing it is 208.97.168.97. Next, click apply and it should filter it all out.

Go ahead and browse through these packet sets, I recommend clicking on the “Line-based text-data…” folds when they appear, you should see that all of your important data is definitely not in plain text.


Click To Enlarge

Go ahead and browse through these packet sets, I recommend clicking on the “Line-based text-data…” folds when they appear, you should see that all of your important data is definitely not in plain text.

Comments (3)

Key Issues For Version 1.00

I decided to write up a nice list of what I feel needs to be done before I’m satisfied with BlowPass enough to call it 1.00. Feel free to add things to this list that you would like to see in the first real release.

Internet Explorer Support
That vast market, visit web untouched by BlowPass needs fixin! I’d say this is a big contender for #1. In a related vein…

JS Libraries
I’d love to refine the libraries. I think the best option to go from here is to move from Prototype to mootools. Thats planned, page mostly so I can add a slider to the log viewer. It’d also be super-cool to standardize/rewrite the Blowfish implementation so that it would be possible to substitute other ciphers in. A nice collection of ciphers would be cool.

JSON
Everything needs to move to JSON. The amount of stuff we’re pushing around at this point is a bit rediculous. Also, more about move to native JSON in PHP as we move towards PHP 5.2 (?).

Delete!
We absolutely must add delete functionality by 1.0. The lack of this is annoying right now.

User Types
Let users create their own account types. Maybe get a little library of shared specs here on the site for developers to drop in.

Error Handling
Right now if an ajax call comes back bad or just doesn’t, you can get stuck and have to reload.

Templating
It’s not a big deal, but it would be nice to easily change the look and feel of BlowPass

Button Keyboard
I wrote one of these a while back to defeat key capture programs. Just a nice little on-screen keyboard to fill in the forms.

Export! Import!
It’s important to be able to dump this guy to XML, plain and encrypted. Also to import.

Docs!
Move into either NaturalDocs/PHPDocumenter. Get this guy listed out.

Anything I missed?

Comments (4)

ZOMG!!! CVS REPO!!!

It’s been a long time coming, drugstore and now there is a CVS repo for blowpass. Looky Here –> http://blowpass.cvs.sourceforge.net/blowpass/BlowPass/BlowPass/ to browse around.

And yes, capsule I know my module name is BlowPass containing a folder named BlowPass. I’m pretty new to CVS, so, you know, lay off.

Comments