delight-im / faceless Goto Github PK

View Code? Open in Web Editor NEW

488.0 488.0 193.0 28.51 MB

[UNMAINTAINED] Faceless is where you can talk freely

License: GNU General Public License v3.0

Java 74.52% PHP 24.32% ApacheConf 0.24% HTML 0.01% Shell 0.91%

faceless's People

Contributors

Stargazers

Watchers

Forkers

blackwidowmaker sarciszewski amitpatra arunpattnaik hackathon-hackers jordie gwecho cnh yanlinaung rawbug msmakhlouf goodev milesward hj3938 martindale jaryhjz tangmc kahinke jameswatt2008 wudijimao captainjeck wozzup yanguowusheng lestchun finalhash viglesiasce hongtoushizi wellzhao chengjunjian hehonghui teardemon ilyych zhaog jvlstudio feer921 lianying ixin whsheng kaywood microinfo sxhao oksep liuyujie guobosheng hxy1991 swordson virgil-yan lymanlai penhai brooktran ajeelee lq4ever uncle22 cn-triplez toby20130333 msoftware chu888chu888 papertiger8848 wbsabc littlerhub yangyu5646 hyb monolithic sudoconf jockchou bingfeng89 manhere movexmanlife clrsdream hendyyou maybetomorrow cjk035 srinoid mikezit yichou xiaoyanit linh17tp kingofglory afeilulu vk786 oasis2008 hiddenplanet zxfjd3g r3215407 ertos12 wyrover luorenjin pankajpy ruziniu tienfeek alvinzhao yyrj freedao githubxiongyee jianjianfa ysm804471920 liuyatao javierpe penlgiren pinguo-yupengfei

faceless's Issues

how to install server

when i install server over. i post like this
http://192.168.113.129/android/Server/public_html/workers/score_updater.php
but it is not responed,why

Delete branch with "MCRYPT_BLOWFISH" in "decrypt()" method

After a transition period of roughly 42 days (i.e. 2014-08-28), the branch that uses MCRYPT_BLOWFISH in decrypt() can be safely deleted.

All new messages and comments are already encrypted in Rijndael/AES and from that date, old messages will be either outdated or have been destroyed automatically, anyway.

Apart from the cost of buying an sms-enabled phone. Is there an cost associated with sending and receiving sms on the phone in your Twilio account. If yes, what is the average running cost of setting up the service.

Secondly, is it possible to work other third-party sms/phone services.

Make the block feature work for global feed (not friends) as well

Right now the "Block user" feature only prevents new messages by that user from appearing in the "Friends" feed.

When a user is blocked, however, this should also cause new messages by that user from appearing in the "Latest" and "Popular" feeds.

A requirement is that blocking affects future messages only.

Implement versioning in encryption format

#4 (comment)

Allow users to delete their own (old) messages

Allow users to delete their own (old) comments

is `id` really needed in `throttling`?

Looking at the table structure, I would suggest to replace all the IDs with a UUID to allow multiple servers to write at the same time without possible DB problems, but until you do some code rewriting, I would suggest to drop the field id in the throttling table and change the UNIQUE key left into a PRIMARY one

Allow posting messages to the public only (and not to friends)?

Users often report that they don't want to write something and reveal certain things because they're afraid their friends may read it.

Of course, friends cannot identify the author of a post, but especially right now (at the beginning), users are afraid of friends guessing their identity.

This brings up the question whether users should be allowed to select the audience of their messages, for example like this:

Audience:
+ Friends and Public
+ Public only
+ Friends only

Public means that their messages will appear in the global feeds and Friends means that their messages will appear in the specific feeds with a label such as "Friend" or "Friend of a friend".

But this may cause users to select "Friends only" or "Public only" habitually, defeating much of the purpose and potential of the app while there is no rational reason and need to do so.

Word-of-mouth advertising

Benefiting from word-of-mouth advertising is realy hard for anonymity/pseudonymity apps.

Users want to hide precisely the fact that they're using such an app, usually.

Allowing for anonymous invitations to be sent to friends may sound like a great solution, but this should normally be considered spam/illegal.

Contact discovery (private information retrieval)

The first instinct is often just to hash the contact information before sending it to the server. If the server has the SHA256 hash of every registered user, it can just check to see if those match any of the SHA256 hashes of contacts transmitted by a client.

Unfortunately, this doesn’t work because the “preimage space” (the set of all possible hash inputs) is small enough to easily calculate a map of all possible hash inputs to hash outputs. There are only roughly 10^10 phone numbers, and while the set of all possible email addresses is less finite, it’s still not terribly great. Inverting these hashes is basically a straightforward dictionary attack. It’s not possible to “salt” the hashes, either (they always have to match), which makes building rainbow tables possible.
[...]
As far as we can determine, practical privacy preserving contact discovery remains an unsolved problem.

https://whispersystems.org/blog/contact-discovery/

Encryption - questions and timing side-channel

https://github.com/delight-im/Faceless/blob/master/Server/public_html/classes/Encryption.php#L49
This HMAC comparison is not made in constant-time, nor does it follow a "double HMAC" construct.

http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/

https://github.com/delight-im/Faceless/blob/master/Server/base_crypto.php
I'm curious as to why you're using MCRYPT_BLOWFISH instead of something like, say, AES (MCRYPT_RIJNDAEL_128)?

Error: Please check your internet connection

I'm online via wifi, but still when I open the app and when I try to post something I get this message. Latest version via GitHub.