Category Archives: Idno

Posted on
by

oEmbed, as the wikipedia page puts it, is an open format for obtaining an embeddable representation of an object. As suggested in the comments in an earlier post, I’ve now extended my Idno Embedded post plugin to support oEmbed.

It works by providing an endpoint that other sites can query, passing the permalink of the thing they’re wanting to embed, a format parameter (currently only json is supported), and any other content specific parameters (e.g. maxwidth and maxheight).

You can pass a permalink of an idno post to this endpoint, and you’ll be returned a JSON data structure containing some details about it. Additionally, if you pass a callback parameter, you’ll get this data as JSONP, which may be more useful.

Here’s some example code, using jQuery for convenience:

This example makes use of the JSONP callback to update all div elements of class oembed, with the URL from the data-url parameter.

Because of this bug, at the moment you’ll need to use my branch of the bonita template library, which applies this fix, in order for the oEmbed functionality to work.

Currently, all posts will default to the 'rich' data type, however you can extend this by providing your own entity class templates and provide specific details for your own custom types.

» Visit the project on Github...

Posted on
by

I’ve previously talked about the embed plugin I wrote for Idno.

The previous version made use of JQuery to call a JSONP endpoint, which was done because I was planning to construct the embed by manipulating the DOM tree.

This proved rather complicated (although there are reasons for doing this, so I may swing back to it), especially if you wanted to preserve the individual Idno site’s custom skinning, so I opted for an IFRAME approach.

I’ve now tidied the code to remove this JQuery requirement, and now the embed code produces an IFrame directly, rather like the related wordpress plugin.

Posted on
by

Ok, so here’s an experimental, proof of concept plugin for Idno that provides OpenPGP encryption for form posts between web clients and the server (just in time for Reset the net 😉 ).

It makes use of OpenPGP.js, a pure javascript implementation of the OpenPGP spec. On form submission, the plugin will encrypt all form variables, client side in the browser, before transmitting them to the server.

What this for

Primarily, this is aimed at (partially) addressing a situation where you have an Idno site sitting behind a load balancer/reverse proxy like Squid, Nginx or Pound.

In this configuration it is common for the connection to be HTTPS only between the client and the load balancer node, at which point HTTPS is stripped and the connection to the back-end web server is conducted over HTTP. As we know from the NSA smiley, attacking this point where HTTPS is stripped at the load balancer was one of the ways the NSA and GCHQ was able to burgle customer data from Google’s cloud.

Using this plugin, the contents of the form will be encrypted with the back end server’s public key, meaning that the payload will remain encrypted as it transits through your data centre until it’s final destination, where, if you redesign your system as such, it could be stored in encrypted form and decoded only when necessary.

What this is NOT for

This is not intended to be a replacement for HTTPS.

Encrypting the form on the client does raise the bar slightly, making it much harder for a passive attacker to simply read your username and password as it travels over the wire. However, it does not protect against a more sophisticated attacker capable of launching a “Man in the middle“, or “Man on the side attack“.

Using HTTPS is important, because without it an attacker could insert their own public key into the mix, or modify the javascript sent.

Usage and limitations

The plugin currently piggybacks off of gnuPG to do the decryption on the server end, and so this requires you to perform a couple of configuration steps.

  • Make sure you’ve got gnuPG installed. If the binary isn’t at at /usr/bin/gpg, you can set opengpg_gnupg in your config.ini
  • Generate a keypair for your web server user
su www-data
gpg --gen-key
  • Make sure that the .gnupg directory is not accessible publicly, using a .htaccess or similar, since it’ll contain a secret key!
  • Get a copy of the public key gpg --export -a "User Name", and save it as openpgpPublicKey in your config.ini

Once you’ve done this, activate your plugin in your Idno settings, and you should be ready to rock and roll!

It was enjoyable playing with OpenPGP.js, and I can already think of some other cool uses for it (most obvious might be to enhance my OpenPGP elgg plugin).

Have fun!

» Visit the project on Github...