TOOLS, TINKERINGS & CODE
If you’re like me and move around a LOT between PC’s you’ll find services like del.icio.us invaluable.
Unfortunately this great service has always been somewhat let down by it’s browser support (I’m still trying to find the perfect way to integrate the bookmarks with all browsers).
Up until recently you’ve been able to use bookmarklets to post, not just the provided one (which seems to not work for me any more) but other more advanced bookmarklets like the one that Andrew @ Jalecode made.
Unfortunately del.icio.us now require you to send a “security token” which you can’t get if you use a bookmarklet. The only way around this is to use the API.
Frustrated by this change, and inspired by Andrews bookmarklet I’ve created a bookmarklet that works with the del.icio.us API to produce exactly the same result as Andrews original bookmarklet.
For those who don’t want to read through the following technobabble
Jump to the goods
The only downside is you’re going to have to trust me with your del.icio.us username and password – Before you turn tails and run, let me explain the process I use to store your details.
How I store your details – Warning, geek content ahead
The first time you use this service it will prompt you for your username and password along with your url and other del.icio.us related stuff.
Once my server has received your auth details it goes off and fetches 32 bytes from my RNG server which uses quantum physics to produce vast quantities of real random data thanks to the VIA Padlock
The 32 bytes are split into 2 blocks of 16 bytes and then converted to hex for convenient storage, one block of 16 bytes (32 hex characters) is designated to be your key. The second block of 16 bytes (again 32 hex characters) is designated as a challenge.
Asleep yet?
Your key is used to encrypt both your username and password with AES256 /. The challenge is then HMAC SHA1 hashed with your key to produce a non-reversible fingerprint of your key to later verify it.
The hash of your key, along with your encrypted username and password, are then stored in my database for a maximum of 30 days. The key used to encrypt this data is then sent to your browser to be stored as a cookie.
The cookie that is sent to your machine contains the ID of the record in the database and your key. The cookie is configured in such a way that your browser should only expose it on a https:// connection to delicious.fremnet.net and it only has a lifetime of 30 days.
Somewhere in the middle of all this my server has gone off on your behalf and made a HTTPS request to the del.icio.us API to post your url.
For those who are still awake
When you use the service again, your browser sends the cookie to my server when it fetches the initial dialog which uses the stored fingerprint to verify your key, if the key validates then it won’t show the username and password boxes.
After you submit your URL and other del.icio.us bits it again verifies your key before decrypting your username and password.
Now that it has your decrypted username and password my server posts to del.icio.us, on your behalf, your submission before throwing out all the stored information and destroying your key.
The system now goes off and fetches a brand new block of 32 bytes to generate a new key to give you, and re-encrypt your data with for storage.
The short version – Yeh I know, after all that
I use very strong encryption to store your username and password, I give you the only key that will recover the data, I post your submission to del.icio.us. Then every other time you visit I delete all the stored data, make a new key and re-encrypt your data and give you the key.
What about interception?
Very good question, I’ve even addressed that – the del.icio.us proxy is ONLY availible over SSL secured HTTPS connections – meaning that your key is only vulnerable on your machine, and your username/password is submitted safely
Well, because I’m a poor person I’ve had to use a cacert.org SSL certificate. I have 150 Assurance points with cacert.org which basically means they’ve got proof of my identity on file.
Not many browsers/operating systems come with root certificates for cacert.org so you will probably have to install cacert.org’s class3 root certificate before you can use this service.
Once you’ve got the certificate installed you simply need to create a bookmark with the following url in it.
javascript:z=document.createElement('script');
z.src='https://delicious.fremnet.net/post.js';
z.type='text/javascript';void(document.body.appendChild(z));
OR
Drag Add to Delicious to your bookmark bar and release it
Next time you’re somewhere you want to bookmark, simply click the button you’ve just created
Tip
If you select some text before clicking the button it will fill out the “Extended” field with that text for you.
Note
While this script functions in Opera 9, it doesn’t fill out any of the form for you. If anyone has any ideas how to fix this feel free to drop me a line.
Script doesn’t function at all in IE. I’ve worked out there are two seperate problems.
Anyone with ideas on how to fix this are ordered to drop me a line (it’ll help me fix another problem I’m having elsewhere in the IEverse
Future plans
If time permits these are some of the things I want to try to implement (in no order what so ever)
Suggestions
I always welcome suggestions, feel free to use Contact link above