Add more SSL support in NewsRob / GR communications
Currently NewsRob uses https when doing the authentication against Google Reader.
But as other apps and also the Google Reader web app the actual communication with Google uses http only.
Some Chinese users told me by email that they would prefer to have the normal communication (fetching articles) also encrypted for reasons that I don't 100% understand, but it seems they get an edge then when crossing the great firewall.
Anyway, this suggestion is about adding SSL to the actual communication with Google Reader.
The downloads from the websites will still only use http.
Implemented in 3.6
Sure, no problem. You can download a preliminary version here: http://claudia-und-mariano.net/newsrob354.apk
Mariano, thank you!
I thought again about this and both uses, securing the connection, as well as the issue with the great firewall seem important.
So I implemented it despite having enough votes to bubble up on the list.
It's is currently on by default and I might remove the toggle all together. I will have an eye on performance and if I don't see much of a difference I will make the use of SSL with Google Reader permanent.
Having said that it might take 4-6 weeks until this code change makes it into the Market. It will be part of NewsRob 3.6.
That is the same with the Google Reader webapp, right?
Just to be clear. The exchange of credentials goes over SSL.
Anyway I see your point as well as from aleung.
Well, if you can sniff one unencrypted connection (e.g. over public WiFi), you can read the user's cookie and hijack their google reader session. I just verified this on my home network:
- Deleted all google cookies from my browser and verified it couldn't access http://www.google.com/reader/view
- Sniffed an unencrypted NewsRob update request and extracted the cookies
- Added those cookies to my browser and was able to use google reader as usual
So let me rephrase: I think using HTTPS instead of HTTP is always preferable for transmitting login credentials or session cookies.
Kasperle, always is a strong word, but an option would sure be nice. Ask Hotzenplotz.
Aleung, thanks for the explanation. That makes perfect sense to me now.
Let's wait if we get enough votes for this one. If we don't get enough votes, say in three months, I will implement it nonetheless.
Using HTTPS instead of HTTP is always preferable, in my opinion.
Thank you for the explanation aleung. It makes perfect sense to me now.
Let's hope we'll get some votes here so that it can be funneled through the normal prioritization. If not, ping me again in three months and I will implement it no matter how many votes it has.
The great firewall will reset the connection between client to Google server if it found any black list pattern (keywords) match in the communication. When the communication is in SSL the firewall can't sniff the content.