This has been discussed before, though the 'secret address' idea is a new twist, and slightly better than other options.
One major problem is that email passes through various mail servers on its way to its destination and any of those may be compromised, thus disclosing your secret address.
Alternately, a dictionary/scattergun attack against jaiku.com may hit many 'secret addresses'.
Really the only way to do it via email is to use signed email: You upload your public key to the Jaiku website, then sign your emails with your private key and email them to username@jaiku.com. Jaiku then validates your signature against the known public cert they hold. If it matches, your post gets posted.
I agree that the solution with a secret email has securityflaws. But let the user decide if he wants to take the risk. There are a lot of services that use this setup, Flickr for instance is one of them.
@RickMeasham, are you serious? No way is public key cryptography going to be adopted for this use case any more than it has been for general email use! (The public at large simply doesn't grok all these public and private keys, revocations lists, etc.) Consider also that Jaiku has a much basic problem regarding security and privacy due to not providing encrypted (SSL/TLS or https-based) sessions for their users. Jaiku is not alone in its predicament because encrypted sessions are computationally relatively expensive (some say even 100x more expensive than straight http). This is ostensibly why for instance Google hasn't made their encrypted email interface (https://mail.google.com) the default for their users. Only gmail logins are encrypted and thereafter users are provided with a cookie which works as a re-entry pass for the regular unencrypted service. Anybody on the route to the servers can hijack your info by listening into the conversation and picking up the browser cookie. So, analogously in Jaikus case there's not much protection for your account if you happen to be logged on to it while tapping into a public wifi hotspot.
Actually, somebody at my office made TwitterMail.com. I'm sure you can bug him for the source code. You can get in touch with him here: lennaert at chello dotzor nl
Would it be possible to do, with currently available APIs, a service like TwitterMail? I mean: a mail server which automatically publishes on Jaiku what it receives on a certain mail address, using the API key of the user and all the authentication process of Jaiku API.
Actually I was beside the point really by focusing only on Rick's over-engineered proposal. As it currently stands, any and all external feeds pass unfiltered into the account's update stream, so it doesn't really matter where any offending material comes from, whether it be from a hijacked secret email address for posting Jaiku presence update or a hijacked RSS feed. The risk is indeed for the user to calculate. That doesn't mean that Jaiku wouldn't need spam fighting and general filtering capabilities. Hopefully they are implemented along the road.
One more thing. Regarding secret email addresses, I'm sure pretty much every one of any dictionary/scattergun attacks could be avoided by using UUIDs (GUIDs) as follows:
Jaiku.com could use Javascript or Java on the client to generate UUIDs. For example the Wikipedia article above references the following library for Javascript:
http://www.af-design.com/services/javascript/uuid/ .
OK, so long as people are happy with a UUID type address (ie, something you don't have a hope of remembering!) I'll put together a proof-of-concept. Note that it will require joining up to jaikufans.com to get your UUID assigned.
@RickMeasham TwitterMail generates a rondom email address but lets the user reasign it if desired. I think thats a crucial option. Give the power to the user, let them decide. Such a feature is also desirable to increase security, you could change the address manually each month or so.
@RickMeasham, @marcfonteijn: Long UUID addresses work fine so long as you can alias them in your email client's address book or the client provides you with auto-completion (which would require you to remember the first hexadecimal digits). Otherwise if the risks are fully explained, I don't see why the user couldn't be allowed rename or alias the email address as s/he sees fit. Now if only Google could make this a standard feature in gmail filters: in comes "secret" email, out goes Jabber/Gtalk message. :)
27 comments so far
That would be nice. Maybe it could be also a workaround to post on Jaiku with mobile from Italy...
2 years, 3 months ago by Barcaro
That was exactly my idea! Easy posting using your mobile phone to an emailadres.
2 years, 3 months ago by marcfonteijn
This has been discussed before, though the 'secret address' idea is a new twist, and slightly better than other options.
One major problem is that email passes through various mail servers on its way to its destination and any of those may be compromised, thus disclosing your secret address.
Alternately, a dictionary/scattergun attack against jaiku.com may hit many 'secret addresses'.
Really the only way to do it via email is to use signed email: You upload your public key to the Jaiku website, then sign your emails with your private key and email them to username@jaiku.com. Jaiku then validates your signature against the known public cert they hold. If it matches, your post gets posted.
2 years, 3 months ago by RickMeasham
I agree that the solution with a secret email has securityflaws. But let the user decide if he wants to take the risk. There are a lot of services that use this setup, Flickr for instance is one of them.
This feature would be great to enable quick and easy post via your mobile phone. You can find more thoughts on this here: http://www.marcathing.com/2007/08/07/using-shozu-and-jaiku-to-microblog/
2 years, 3 months ago by marcfonteijn
Hmmm, is something like http://www.twittermail.com for Jaiku would be great ...
2 years, 3 months ago by marcfonteijn
@RickMeasham, are you serious? No way is public key cryptography going to be adopted for this use case any more than it has been for general email use! (The public at large simply doesn't grok all these public and private keys, revocations lists, etc.) Consider also that Jaiku has a much basic problem regarding security and privacy due to not providing encrypted (SSL/TLS or https-based) sessions for their users. Jaiku is not alone in its predicament because encrypted sessions are computationally relatively expensive (some say even 100x more expensive than straight http). This is ostensibly why for instance Google hasn't made their encrypted email interface (https://mail.google.com) the default for their users. Only gmail logins are encrypted and thereafter users are provided with a cookie which works as a re-entry pass for the regular unencrypted service. Anybody on the route to the servers can hijack your info by listening into the conversation and picking up the browser cookie. So, analogously in Jaikus case there's not much protection for your account if you happen to be logged on to it while tapping into a public wifi hotspot.
2 years, 3 months ago by jkniiv
Hmmm, I figured out a sort of solution ...
The only flaw in this is the assosiated delay with Jaiku reading the Twitter feed...
2 years, 3 months ago by marcfonteijn
Actually, somebody at my office made TwitterMail.com. I'm sure you can bug him for the source code. You can get in touch with him here: lennaert at chello dotzor nl
2 years, 3 months ago by BlueAce
Would it be possible to do, with currently available APIs, a service like TwitterMail? I mean: a mail server which automatically publishes on Jaiku what it receives on a certain mail address, using the API key of the user and all the authentication process of Jaiku API.
2 years, 3 months ago by Barcaro
Actually I was beside the point really by focusing only on Rick's over-engineered proposal. As it currently stands, any and all external feeds pass unfiltered into the account's update stream, so it doesn't really matter where any offending material comes from, whether it be from a hijacked secret email address for posting Jaiku presence update or a hijacked RSS feed. The risk is indeed for the user to calculate. That doesn't mean that Jaiku wouldn't need spam fighting and general filtering capabilities. Hopefully they are implemented along the road.
One more thing. Regarding secret email addresses, I'm sure pretty much every one of any dictionary/scattergun attacks could be avoided by using UUIDs (GUIDs) as follows:
1D413D97-4C77-0001-AE1E-A750BDAB1D88@posts.jaiku.com
Jaiku.com could use Javascript or Java on the client to generate UUIDs. For example the Wikipedia article above references the following library for Javascript: http://www.af-design.com/services/javascript/uuid/ .
2 years, 3 months ago by jkniiv
If you can live with the delay that occures on Jaiku updating the RSS feeds this is a working solution to enable posting via email to Jaiku: http://www.marcathing.com/2007/08/08/posting-to-jaiku-using-the-email-client-on-your-phone-via-twitter-and-twittermail/
2 years, 3 months ago by marcfonteijn
I see, the original idea for TwitterMail already included unique identifiers (although not UUIDs) for recipient addresses: http://bomega.com/2007/03/19/openidea-twittermailcom/
2 years, 3 months ago by jkniiv
beside email, post via IM (Gtalk, AOL etc) is also an option, Twitter do offered this service, why Jaiku do not have this features?
2 years, 3 months ago by henmaker
OK, so long as people are happy with a UUID type address (ie, something you don't have a hope of remembering!) I'll put together a proof-of-concept. Note that it will require joining up to jaikufans.com to get your UUID assigned.
2 years, 3 months ago by RickMeasham
@RickMeasham TwitterMail generates a rondom email address but lets the user reasign it if desired. I think thats a crucial option. Give the power to the user, let them decide. Such a feature is also desirable to increase security, you could change the address manually each month or so.
2 years, 3 months ago by marcfonteijn
@henmaker: you could do that with Imified, I used it to post my Jaiku before I switched to Juhu for Mac.
2 years, 3 months ago by Barcaro
thanks for recommend imified, i also switched to Juhu now, cheers~
2 years, 3 months ago by henmaker
@RickMeasham, @marcfonteijn: Long UUID addresses work fine so long as you can alias them in your email client's address book or the client provides you with auto-completion (which would require you to remember the first hexadecimal digits). Otherwise if the risks are fully explained, I don't see why the user couldn't be allowed rename or alias the email address as s/he sees fit. Now if only Google could make this a standard feature in gmail filters: in comes "secret" email, out goes Jabber/Gtalk message. :)
2 years, 3 months ago by jkniiv
@jkniiv, I agree with you... the user should always have the option to change email address. Imagine inputing the UUID address on a phone ...
2 years, 3 months ago by marcfonteijn
OK then, you're responsible for your own security: http://jaikufans.com/tools/clients/other-platforms/mailku
2 years, 3 months ago by RickMeasham
Jaikufans.com is offline again :(
2 years, 3 months ago by Barcaro
I've had a support ticket in with the hosting company for three days now to try and sort out what's going on. Please bear with it :-D
2 years, 3 months ago by RickMeasham
Seems to be ok now. ;)
2 years, 3 months ago by Barcaro
Great Rick! It works from gmail, now I'll try with the mobile.
2 years, 3 months ago by Barcaro
... This Account Has Exceeded Its CPU Quota ... :(
2 years, 3 months ago by marcfonteijn
Nevermind, it works now...!
2 years, 3 months ago by marcfonteijn
@marcfonteijn: Please read the comment just three above yours
2 years, 3 months ago by RickMeasham