Mafiaspiel.org

Leberwurscht Brot - 9 months ago

@Commander Zot @Friendica Developers How do Friendica and Red allow me to view protected content on a friend's server currently? Particularly images that are embedded into my /network page?
I don't think that I have a good understanding, but I figured out that ?zrl=... is appended to the image url by the own server. Then I guess the friend's server makes some request to the own server. I don't really get how authentication works from this point.
But does that mean that the image will probably not be visible the first time the user loads a page?

I did think about how this can be done in a way that images can be loaded immediately. Somehow my server must give my browser the permission to view images (or other resources) on my friend's server. So what about this:

My server and the friend's server have a shared secret. When the /network page is rendered, not only ?zrl=... is appended to every remote image, but also something like &permission=...&permission_signature=...
permission is a message like "Every browser possessing this signed permission is allowed to open a session on friend's server from 2012-09-30T11:09:35.444Z to 2012-09-30T12:09:35.444Z" (of course in a more efficient format), and permission_signature is the signature of this permission using the shared secret. If we use HMAC-SHA256 [1]for the signature, the signature has only 32 bytes (or some more if base64url-encoded), and can be done without using much computing power.
When my browser loads the /network page, it hits the first remote image of my friend. The remote server will read the permission+signature, and if everything is okay, then it opens a normal PHP session for my browser, so that I can view protected content from now on.

Perhaps you have already a better solution for this problem, but I did not find any material... If not, what do you think?

[1]basically "signature = sha256(message+shared_secret)"

@Friendica Developers @Commander Zot

4 comments show more

Leberwurscht Brot - 9 months ago

After some more work I now think that I have an understanding how it works with DFRN. Images in posts seem to be embedded in data urls anyway, but you can also access the original version via /redir.
This seems to involve two redirects and doing a request from one Friendica server to the other Friendica server, while the browser is waiting for a response. So this procedure allows users to see protected remote images immediately (even if they would not be embedded in data urls I guess), but it still is rather heavy and takes some time.

Does zot already provide an alternative?

Mr. X - 9 months ago

I'm still working on the zot equivalent - it's going to look a bit more like openid, but using zot identifiers.

The original proposal was to provide a 'zid' token on protected url's to perform openid auth, so you could have access lists that included anybody on the internet.

'zrl' took this concept and brought it back to Friendica as an identity 'hint' but without authentication. So a zrl isn't secure, but there are a few places where we just want to have a clue who you are without requiring proof.

The protocol I've worked out currently is lighter-weight than DFRN, but I still need to run it through all the security scenarios to make sure I haven't missed anything.

I couldn't use pure openid because there was no easy way to work in DNS location independence (openid requires a DNS identity), but we may still allow openid (with 'zid' URL's) for federation at some future date. I don't see any other projects with any interest in doing remote object permissions, so that's likely to be a long way off.

Leberwurscht Brot - 9 months ago

Okay, thank you for your answer! So we won't need a request from one Friendica server to the other Friendica server, but still several redirects, right?

Mr. X - 9 months ago

We still need the callback requests (we assert an identity, but the other site has to verify the assertion with your site in the background).

I'm trying to increase the efficiency of this process so that provenance happens a lot faster and with fewer round trips. And if you visit the other site with a 'zid' (zot-id), it can reduce the number of redirects because you'll be going straight to the destination page. We may or may not keep the "redir" method depending on how well zid works and how hard it is to add a template to everybody's links.