No signing in Post to blog bookmarklet

IMPORTANT: the assumption made here is incorrect. I suggested using a hashing function, but one should make a special message authentication code function such as HMAC…

A thing I’ve been rediscovering as of late is the bookmarklet. Not that I use many, but in contrast to many of the browser extensions, bookmarklets are really minimalistic and hence very simple to use (although installing them on mobile devices is not) pieces of software. Currently I use the Tumblr, Instapaper and Pinterest bookmarklets, but they all share a common problem: they require you to authenticate before you can actually use them.

Not satisfied with the third parties, not satisfied with hot they work…

I’m using the Tumblr blogging service simply because it makes posting, via its bookmarklet, easier than posting something to my own blog. Navigating to my own blog, signing in to new article, and then writing the article is just a bit more work than simply clicking the tumble this bookmarklet that almost instantly gets you to write a new post. So why not try to create my own, that mimics the basics of the Tumblr bookmarklet but doesn’t nag about entering your username and password first… A bookmarklet, that posts directly to my own blog?

Signing

The solution is signing the request. That’s how you identify yourself when you’re mailing someone else in real life, and that’s also what you do authentication in technology. Signing in a software means summarizing (hashing) the information salted with some private code, a key. But is that possible with plain JavaScript? It turns out that it can be done (there are even multiple implementations) so I immediately took one of the better ones: SHA256. Sadly I couldn’t find anything below the 2Kb, so it won’t work with (the older versions? of) Internet Explorer, but I can hardly feel sad about that: Safari, Firefox, Chrome won’t care.

When receiving the request at the server side we can verify the hash by rehashing what was entered with the same salt that is functioning as the key, see also wikipedia on MAC.

Am I overlooking something?

Why don’t most sites offer this by default I asked myself? Would it be insecure? I don’t think my solution is insecure. Probably because of lazyness, and, in my case, wrong assumptions: they assume their users will be using cookies. But my cookies are killed after each browser session (to avoid tracking to a certain extent). And open sessions are only temporary. And using BasicAuth can’t be used for security reasons: it would mean communicating username and password in plain text through public air or wire.

So I guess you got that working, right?

Indeed, while there are still some things that I need to work on, the basics work (not in production though ;) ):

• Showing the form
• Signing the request
• Verifying the request

And well, it is a bookmarklet (celebrating my very first handcrafted one; biggest problem the % sign in the SHA2 coding bit).

The code is in this github gist. Please go fork it and make it better. The ‘server side’ part is in ruby in my example, but it can be really in any language, SHA2 is a standard.

Of course I wouldn’t have been able to do this without building on this SHA2 implementation by Angel Marin.

Is it really secure btw?

I wouldn’t use this solution as a replacement to a external keys or browser certificates when logging into a bank (as bookmarklets are simply easier to copy than a physical e-reader + card somewhere in your own house/wallet), but the scheme is secure for authentication purposes as long as you consider the following:

• Authenticating is not securing, if you’re worried that someone may read your post before it is actually published you need to make sure you post to an SSL secured endpoint. That offers alternatives to this solution as well in the form of client certificates, but these are harder to set up.
• A repeated request is easily mimicked, you could improve on this by incorporating a reference to another variable that is continuously varying (i.e. noise and/or time but you’ll need to synchronise both server and client properly), but in most cases just filtering out duplicate requests will work for the usecase as described above (you don’t want to post the same article anyway).

The thing I like best about the solution is that it also works when used over a non-encrypted connection. Of course the message is not encoded, the signature makes sure nobody is able to change the message in between or post ‘on behalve of you.’

This paragraph was updated on 1-6-2012: several people I trust on these matters have confirmed the logic is sound, so I rewrote this paragraph more confidently.

So what is next?

The bookmarklet should copy the url and selection of the current page and prefill the form with those to make blogging even easier. Styling could be improved a bit. I won’t try to make it under 2Kb as I simply don’t care about it. If security issues arise, these will need to be addressed. And then its definitely ready for use in production, on my own blog.