Putting Access_Token to rest - inside the core - Most Secure

@Dave, Thanks for replay and Yes & No.

So as I now understand the whole concept of the Cloud API is to encrypt data transfers.

I don’t need encryption when its not absolute under this governemnt rule:

Do you know that all encryption requires Depart of Justice Backdoor passwords be provided to them prior to being implimented ? Its a real law and all Rounter & firmware makers are suppose to abide to the US Gov. wishes. Supposedly only a MIT Encryption that is wide spread can not be busted by the NSA but, that’s who different monster.

What I am trying to do.

  1. Not trying to change the Spark API. I know API (New Age) HTML/PHP HTTP Authentication (Old School)

  2. The core instead of being sent an access token via CURL / Java Android API / or HTML a variable is used in the commands.

  3. The Variable is validated from within the :spark: API secuirty as the variable validate resides in an external java script file on @kennethlimcp SD Card that is attached directly to Core.

  4. For all Non-API Cloud connections using HTTP a cookie is placed in the browser (Leased) nothing special here.

There are people who can not afford https to be added to their website or lack the expertice to impliment server side coding to maintain “no https” connectivity with the Core.

You might say, why is he going to use an access_token with a non-cloud environment when he doesn’t have to ? If encryption of data is not an issue why not just use Apache Password protection on the web?

Answer: All the code will reside either on the CORE (IDE) or connected SD Card (Html / php / uQery /) that will run a Webserver with login protection - Authentication.

Fully Automatic (this Part)

Local Network --> Core wifi Webserver (Local Network) loaded. --> waiting for local or connection from internet HTTP.

Browser Connection initally on local netowrk (to obtain cookie for each device)

Authentication SD Card Webserver --> (Browser Cookie) --> SD Card Access --> Local Cloud API (Access_Token) --> Internet Access–> HMTL/PHP Webpage (On SD Card)–> Access_token_Variable used in webpage <-- External *.js file (on SD Card) containing "token validtator of real access_token number (Only place reall access_token number is – In the Core IDE Code>.

The real access_token “NEVER” gets transmitted in a command over the internet - Ever !

Browser (with cookie from local netowrk login)–> Internet --> Local Router --> Webpage (After Authentication) -->Verfies correct cookie in browser --> Html Page Parsed–> Comand with “access_token_variable” executed (All behind local firewal) --> access_token_variable compared in external *.js file with real access_token number in core.

Why do this way ? Having access to he core SD Car allows the use of a local cloud that connects to other local clouds pre-api IP to IP via Authentication. Once authenticated the two local clouds connect to each other. "Think of the possibilities ?

Heya @spydrop,

Totally if you’re controlling access to the page by keeping all that traffic inside your network, then you could certainly use a passcode system like that, and if you’re controlling who’s on the wifi network, then you can probably avoid extra encryption.

On the topic of encryption:

If we’re talking backdoors then I think there’s no better disinfectant than sunlight. Open Source crypto packages are frequently scrutinized and documented, and also partly why we’re open sourcing the local cloud.

I think the general wisdom there is that someone will try to compromise other aspects of your system before trying to attack well documented strong crypto directly, since those aren’t the weakest links. It’s like any lock, it won’t ever be unpick-able, it’s just about making it last long enough that you can notice and take steps to keep yourself safe.

Personally I think we all benefit from the large, active community that has a vested financial and personal stake in the strength of encryption on the internet. If you want access to better electronic security and freedom that is free from compromises, I recommend donating to the EFF, or OpenSSL - https://www.eff.org/ - https://www.openssl.org/ if you haven’t already. :smile:

Thanks!
David

1 Like

@Dave,

" I recommend donating to the EFF, or OpenSSL - https://www.eff.org/ - https://www.openssl.org/ if you haven’t already."

I understand, If I don’t like having to use Spark Cores API Androind approach which is the only secure method or don’t want to buy a https connection for my webserver to be safe beyond my Local Network.

I get it. You guys decided a long time ago not to support what is used by millions of people; the easy unencrypted data over http. Its your choice not to support it.

I’m going to use that money you suggested I get to EFF for the specific purpose of porting a non-encrpted version of spark core so it truely is more compatialbe with how other MCU players do it to make it easy for hobbyist.

Easy - KISS - Plug N Play.

Good-bye with your less than 50 members you have here on this forum. I was not kidding about taking over this world - I just need that push.

Hi @spydrop,

I’m sorry if I mis-spoke, unencrypted http is of course easy to do, and I’ve posted a number of examples on how to do it, including my tiny webserver code which you’re using…

Apologies for any miscommunications, but I’m building the local cloud precisely for people who want to do their own thing, encrypted or not! :slight_smile:

edit: I recommended donating to the EFF because I got the chance to do that recently, they’re a cool organization. :slight_smile:

Thanks,
David

1 Like

@spydrop Oh, here’s another thing I forgot to mention… You don’t need to buy an SSL certificate for your web server… Anybody can generate and sign an SSL certificate themselves, right from the OS X/Linux/BSD (and with an SSL package installed) Windows command line. If someone were to visit your site in a web browser, they would get a message that the site certificate wasn’t signed by a secure entity, but that doesn’t matter in this case as you’d be using the cert for your own copy of the cloud, not a web server. (In both cases the data would still be secured via SSL, the certificate just wouldn’t be signed by someone like VeriSign; which is a huge joke anyway as that doesn’t really mean much either!)

Even if you did want or need an “authentic” certification, you can buy them for $10/yr these days!

Just saying!

@Dave @timb,

thank you both for feedback. I posted another reply it went poof ! So I hope this one is not a duplicate.

I appreciate what you guys are doing to maintain a secure platform for spark core users.

You guys are experts, I’m only a novice who has products he wants to use the core with but, if its complicated (like it is now) I can’t use it without having to hire a support team.

timb, Yes, I have known about self signing ssl CA’s in cPanel for a long time and 3 days ago I tried to use it. My Cpanel would not let me install a Self Signed CA as it had a bogus ssl Server Certificate installed “Not From cPanel”. I never installed.

My webhost tech support found the issue and removed it. Now, who would be able to put a bogus ssl certificate on a password protected server ? Above /public_html/rootdoc/ ? NSA ? :smile: I don’t know.

So Today, I installed a Self Signed ssl CA Certificate from CACERT.ORG to do testing “Free”.

https://www.spydrop.com does give the typical error and works fine by excepting the site. Check the Certificate Details and you will see its for my domain.

I have been working (off and on) on a Php Script that will be located on https://www.spydrop.com and will make automated curl requests with the access_token (now encrypted - https:) using cron jobs in cPanel and retreive data from my spark core.

The next step is to make this happen:

Browser (https) --> Local Router --> https://www.spydrop.com/ --> https:// Spark API–> Local Rounter–> IP–> Core —> TIny Webserver–> Authentication–> SD Car --> Control Spark Core using 100% jQuery/Curl Commands ==> Spark API <== Spark Core–> (Once Authenticated the SD Card becomes visable to the local network as well.

Then the trick is to have https://spydrop.com PHP script connect to the Spark Core per above when it runs th Cron Jobs and run all the commands off the SD Card meaning the access_token will be behind a Local Firewal / Spark API (Most Secure Possible)

Then the final blow to the access_token, I am going to strip it out of the equations and put it in a 6’ x 2’ hole by using a UDP Socket Server (from another forum member name slips me) and https:// right in to the Core via web from anywhere and control it. I have already done this on my LAN.

Thank You @Dave and timb, and @bko @peekay123 @kennethlimcp and others for helping me with my projects and such but, I just don’t need a cloud or a stinking access_token that requires a smart phone that Facebook can turn on the speaker phone and listen to me have verbal discussions with my Spark Core :slight_smile:

2 Likes

@spydrop Cool, glad you figured out the SSL Cert thing! Sorry if my post came off a bit harsh, I was having a bad day and didn’t mean to take it out on you.

As always, we’ll continue to be here to help you as much as we can!

3 Likes