Well... secure.grepular.com uses an unsigned certificate, that makes most browser squeak.
It is important to understand that albeit it's not proper https, this is still an encrypted connection that will make eavesdropping impossible. Being signed by an actual authority is only necessary to ensure the website we're talking to is actually secure.grepular.com, and not a man-in-the-middle that would intercept our queries and forge answers. "Unfortunately", both ideas of security and authentication are part of https, and having one without the other is going to pop big scary messages.
This sort of https is still more secure than plain http.
His point about transmitting the password in plain sight is a very good one. Firesheep showed how bad it is to transmit your cookies in plaintext, but sending your login/pass is even worse.
Making browsers squeak is a fundamental part of the SSL security model.
Invalidly signed HTTPS is only slightly more secure than HTTP. Let's look at the open WiFi scenario. If you login to ServiceX over HTTPS but ignore certificate warnings, I can just mount a man-in-the-middle attack and relay all your traffic to ServiceX. It's more involved than just sniffing your cookies, but its still quite practical.
The only place where ignoring certificates is OK is if you know that an attacker can _read_ your network, but cannot write anything to it.
Explain this to me, because one of us is misunderstanding https. As I understand it, the danger of a self-signed certificate is that you don't know if it was issued by the site owner. You don't get the certificate authority's trust by proxy, but if the certificate is genuine, it's as secure as any level 3 ssl certificate. The only thing a CA certificate is guaranteed to get you is the ca's rubber stamp that they issued it.
You said it yourself: "the danger of a self-signed certificate is that you don't know if it was issued by the site owner".
In the case of someone attacking you on WiFi, that self-signed certificate wasn't issued by the site owner. It was issued by the attacker. If you happily ignore warnings, your browser will just setup a "secure" connection to the attacker. Then the attacker just creates another HTTPS connection to your actual destination, and proxies the content back and forth.
Now, if the attacker can only read packets, then yes, the actual encryption is still secure. But in many places where an attacker can sniff (WiFi, on your Ethernet), they can also inject.
There are lots of problems with CAs and the crappy verification that goes into most certificates. But having a CA cert for SSL still significantly raises the bar and limits the extent of an attack. (If one did get a signed cert for PayPal or Facebook, they couldn't just go and publish it in a program like Firesheep, as it'd get revoked pretty quickly.)
The certificate isn't unsigned. It is signed by cacert.org. I finally decided to stop paying CA's for something which should be free a few weeks ago. Hopefully they'll get their root cert in the major browsers in the not too distant future, but I'm willing to put up with people seeing the browser warnings until then. My website is primarily read by geeks anyway, who should know what it means.
It is important to understand that albeit it's not proper https, this is still an encrypted connection that will make eavesdropping impossible.
If it's a self signed certificate, how can you tell between a certificate self signed by the website owner and a certificate self signed by the eavesdropper?
To view this page in Firefox I have to add an exception for the certificate. Firefox now displays a hint that this is a secure connection (http://imgur.com/d9kEd). It's up to me to remember that this specific site uses a self generated certificate and that I shouldn't place the same level of trust in this certificate as I do with others.
If this guy wants to use SSL he should do it properly.
By accepting the certificate, you've indicated that you trust that the certificate is genuine. At that point, it's as good as any CA-signed certificate. The only difference is that you made a decision to trust the certificate, rather than trusting a CA to verify its authenticity.
In IM clients like Pidgin, you can enable TLS for connecting to a Jabber chat server (provided the server supports it). Chat should be encrypted; I wonder why it wasn't the case with Kik.
I find Kik could easily be the Blackberry killer app we've all been hoping for. The only real reason most Blackberry users don't switch to iOS or Android is Blackberry messenger. I hope they can get their security up to par.
What's Blackberry messenger? It isn't enabled on my Blackberry. (Nor is the camera, or text messages, or pairing with non-approved Bluetooth headsets, or the "app world", or ...)
The reason Blackberry users don't switch to iOS or Android is that their employer mandates Blackberry. I would much rather use my Android phone for work, but RIM's marketing worked, and I can't. (Think about how insecure our company's intellectual property would become if I could join a conference call with a headset that didn't have 128-bit encryption!)
Do you work for the government? I have to use a Blackberry because of business, but it's a pretty decent smartphone. I'd prefer it to an Android phone, though if I could I'd just get an iPhone. C'est la vie.
The stuff that's locked down is not what bothers me about a Blackberry. It's the core functionality; the hardware keyboard is harder to use than a software keyboard (because there is no autocorrect), and "push email" is much slower than IMAP on my Android phone.
The worst feature is the keylock -- it doesn't work. Unlocking involves pressing a key, which is why the keylock exists anyway. The thing makes a ton of calls in my pocket, often to 911.
My experience is once again completely different. I kind of prefer the extra speed the hardware keyboard provides and my Blackberry does have auto-correct. Emails are pushed to my phone before both the browser or my email client notify me. I just sent an email to myself and I received the push notification almost instantly (around 5 seconds faster than both the browser and the client). On my phone, un-locking means either pressing a series of keys at the same time or pressing a hardware button on the top of the phone. I have never ever have had my phone miss dial or even been unlocked by mistake. It is easy to un-lock it when I really do want to though.
May I ask what model you are using? I'm currently using a 9700 and other than the fact that I miss a few apps I had on my iPhone, I actually do find this phone pretty good where smartphones are concerned.
The phone doesn't have the model number on it anywhere. It's a Bold from Verizon purchased a few months ago.
I blame Exchange for the slow push mail. It always takes forever to notify the desktop client of a new message. (But the Blackberry is still slower. I have often read and responded to a message before my Blackberry alerts me of "new mail".)
Can someone explain to what's so awesome about this app? When that other link hit the front page - I couldn't even tell what the hell the app was for. I guessed from the image that it was some kind of messaging app - but couldn't for the life of me find any information on that site that could tell me why I care.
And yet - a million people seem to have done better than I. Dubious...
Got to love that apparenly iPhone, Android, and Blackberry are "all". Targetting the early adopters makes sense, but making your tagline a blatent lie doesn't.
Well, the "asynchronous" and sent-delivered-read notifications are cool, but what I'm really excited about is this:
"Here’s where things get interesting. If it can build its community, Kik has a lot of new territory to cover if it wants to. It can layer on functionality as it sees fit. For example, it can let you take pictures, and show friends what you’re seeing. It can then let you stream the music you’re listening to, directly from your phone over your friend’s phone. The same can be done for video. And it can be done over any device. While none of this is available right now with the app, Livingston demonstrated this advanced streaming technology to me, so it’s clear he can turn it on at pretty much any time.
During the demo of all this, we sat hundreds of miles away from each other, but he was able to remotely take over the Chrome browser (with my permission, of course) on my MacBook. He then played music over it — all while remotely operating this from his phone. All I did was enter a code that he gave me so that my browser knew to pair with the phone and allow the stream. (A QR code can be used, too.)
It’s pretty cool. Basically, Kik’s technology lets you wirelessly “sling” any content on your phone to any device running on any software. This hasn’t been done before, as far as I know. Sure, AppleTV lets you stream iTunes content to the TV, but it’s a closed garden. You can’t run Apple content on other devices. Kik’s technology allows you to stream pretty much any content on any device with a browser, whether it’s a basic PC, or even a PS3, Wii or a Windows Media Center device.
It’s heady to think of the future of this application. I can scan my surroundings with the camera on my Droid, Blackberry or iPhone with merely a cellular connection, and then stream it to my friend’s phone. Or I can go to my friend’s home and stream an HD move from my phone onto his TV."
Basically, Kik’s technology lets you wirelessly “sling” any content on your phone to any device running on any software.
That should have been on the home page. This "free real-time texting" thing makes no sense to me. Doesn't virtually everyone with a modern smartphone have free real-time texting?
But being able to stream live TV from my Media Center box to my phone would be cool.
Although, it's an strange move on their part not to immediately release at least some of these features. I'd have thought that the initial confusion or lack of clear product differentiation would have turned users away who might not come back when Kik releases more interesting features.
What explains their virality? Maybe the S-D-R thing is good enough for an initial hook?
It's a Blackberry Messenger clone which also works on iPhones, and Android phones. If this where to become the de facto messenger, you should be able to chat with anyone regardless of what phone, or messaging services they prefer (as they would be forced to use the service to be able to talk to everyone of their peers).
Yeah, my whole website design is shit. I've learnt a lot about web design recently though, especially from articles posted here on HN, and am currently redesigning it. Here's my current front page under development: http://dev.grepular.com/
Besides that, I don't quite understand what separates this from any other IM platform..?