[HN Gopher] Decrypting Blind's Encrypted API
___________________________________________________________________
Decrypting Blind's Encrypted API
Author : jonluca
Score : 39 points
Date : 2020-03-21 19:16 UTC (3 hours ago)
(HTM) web link (blog.jldc.me)
(TXT) w3m dump (blog.jldc.me)
| bowmessage wrote:
| I've gone through this same exercise in the past in order to
| mass-delete a large number of comments on different threads. I
| was afraid that Blind may one day suffer a data leak. I attempted
| to reroll the crypto in Ruby, but ultimately failed and went the
| JS route, same as the author. I also had to roll my own sesion-
| token refresh logic. Finally I was wondering if any kind of data
| mining could be done with the tool, but I never took it that far.
| Thanks for the writeup!
| choppaface wrote:
| Well they already had at least one breach:
| https://techcrunch.com/2018/12/20/blind-anonymous-app-data-e...
| sonicggg wrote:
| You'd think that engineers from top - tier tech companies
| would know better, before sharing sensitive information on
| some random website.
| tehlike wrote:
| People like venting.
| kccqzy wrote:
| This is yet another reminder that good JS minification tools
| exist that can absolutely change object properties into short
| minimal strings instead of descriptive names. It's called the
| Closure Compiler in advanced mode. You do have to have quite a
| bit of discipline in writing the JS to have that though.
| jiofih wrote:
| Is there any point in encrypting API payloads when the traffic is
| going via TLS?
| thenewnewguy wrote:
| In theory: no, because anyone able to break the TLS could just
| slip in some JS to capture your comments.
|
| In practice: possibly, because many companies use TLS proxies
| that probably aren't doing that?
| jiveturkey wrote:
| For blind? yes. It is designed to be anonymous from your
| employer. Many employers, especially those for which employees
| would enjoy anonymous complaining, have TLS-intercepting
| middleboxes.
| bowmessage wrote:
| How would that work, unless the Blind posters are posting
| from corp-managed phones which have company-signed certs
| installed?
| RyJones wrote:
| lots of places use an MDM profile if you connect to work
| email, for instance.
| SlowRobotAhead wrote:
| This kind of deep packet inspection is in no way limited to
| phones.
| chocolatkey wrote:
| Potentially to prevent MITM proxies on company computers from
| being able to sniff the traffic. Maybe because of what blind is
| about, that would make sense? Otherwise, if it's secure TLS,
| then no reason at all
|
| Edit: maybe the reason they use public key for transmission is
| because you can't reverse that, and that would potentially be
| where your anonymous complaints your complaints (or whatever
| you do on blind) would be?
| andersonmvd wrote:
| Reasons I can think of: depends whether you assume TLS is not
| going to be broken again and whether the TLS termination
| happens before the component you want to process the data, to
| do any sort of check, e.g., web application firewall. With the
| goal of reducing insider threat and reducing exposure of
| sensitive data to components that don't need to know such data.
| However usually it's a bad idea to solely rely on javascript
| crypto: https://www.nccgroup.trust/us/about-us/newsroom-and-
| events/b...
| eralps wrote:
| Nice article! I always wonder what the legal aspects of
| publishing a reverse engineering article for a private API are?
| Does the company that the API belongs to have rights to an
| obligatory take down request?
| userbinator wrote:
| Is it really "private" if everyone with a browser and a brain
| can see what it's doing...?
___________________________________________________________________
(page generated 2020-03-21 23:00 UTC)