I suggest you ...

Add more SSL support in NewsRob / GR communications

Currently NewsRob uses https when doing the authentication against Google Reader.

But as other apps and also the Google Reader web app the actual communication with Google uses http only.
Some Chinese users told me by email that they would prefer to have the normal communication (fetching articles) also encrypted for reasons that I don't 100% understand, but it seems they get an edge then when crossing the great firewall.

Anyway, this suggestion is about adding SSL to the actual communication with Google Reader.

The downloads from the websites will still only use http.

13 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    AdminMariano Kamp (Admin, newsrob) shared this idea  ·   ·  Admin →

    9 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • aleung commented  · 

        Mariano, thank you!

      • AdminMariano Kamp (Admin, newsrob) commented  · 

        I thought again about this and both uses, securing the connection, as well as the issue with the great firewall seem important.

        So I implemented it despite having enough votes to bubble up on the list.

        It's is currently on by default and I might remove the toggle all together. I will have an eye on performance and if I don't see much of a difference I will make the use of SSL with Google Reader permanent.

        Having said that it might take 4-6 weeks until this code change makes it into the Market. It will be part of NewsRob 3.6.

      • AdminMariano Kamp (Admin, newsrob) commented  · 

        That is the same with the Google Reader webapp, right?

        Just to be clear. The exchange of credentials goes over SSL.

        Anyway I see your point as well as from aleung.

      • Kasperle commented  · 

        Well, if you can sniff one unencrypted connection (e.g. over public WiFi), you can read the user's cookie and hijack their google reader session. I just verified this on my home network:
        - Deleted all google cookies from my browser and verified it couldn't access http://www.google.com/reader/view
        - Sniffed an unencrypted NewsRob update request and extracted the cookies
        - Added those cookies to my browser and was able to use google reader as usual

        So let me rephrase: I think using HTTPS instead of HTTP is always preferable for transmitting login credentials or session cookies.

      • AdminMariano Kamp (Admin, newsrob) commented  · 

        Kasperle, always is a strong word, but an option would sure be nice. Ask Hotzenplotz.

        Aleung, thanks for the explanation. That makes perfect sense to me now.
        Let's wait if we get enough votes for this one. If we don't get enough votes, say in three months, I will implement it nonetheless.

      • Kasperle commented  · 

        Using HTTPS instead of HTTP is always preferable, in my opinion.

      • AdminMariano Kamp (Admin, newsrob) commented  · 

        Thank you for the explanation aleung. It makes perfect sense to me now.

        Let's hope we'll get some votes here so that it can be funneled through the normal prioritization. If not, ping me again in three months and I will implement it no matter how many votes it has.

      • aleung commented  · 

        The great firewall will reset the connection between client to Google server if it found any black list pattern (keywords) match in the communication. When the communication is in SSL the firewall can't sniff the content.

      Feedback and Knowledge Base