Add, Edit or Remove Guest User from Tonido

All that you need to do is,

1. Click on Shared Files from the left navigation panel

2. Go to Guests tab

3. Click on “Add Guest” Button to add a guest

1

2

 

4. Type in the guest username and password and click on create. Guest user will be create

5.  To update the existing guest :Click on the edit button and type in the new username and password

 

3

6.  Click on Update button to save the changes

7.  To Remove a guest account : Click on the remove button that appears  straight to the guest

4

8. Click on “OK  button to delete a guest permanently

No Responses

Change the Port on which Tonido is running

To achieve this ,

1. Go to Settings->Network

2. Click on Http Port under the section “Web Settings”.

3. Type in the port on which you need to run tonido.

4. Click Submit.

Restart the tonido server for the changes to take effect.

Your tonido will be now running on the port you specified .For  Example : You can open your tonido using http://127.0.0.1:2558

No Responses

How do you store passwords securely?

Whenever you make an application which requires a login, you need to store the passwords of the users. Passwords are important because they have the ability to give someone full access to a user account. Hence, it is very important how you manage passwords- sending them through requests, storing them and retrieving them. In this post, we will talk about the different techniques of storing passwords. (more…)

No Responses

Using JSONP for cross domain requests

It is often seen that developers are not confined to the limits of their own domains. When you make requests through JavaScript across domains, the browser prevents the request from going through citing the absence of an ‘Access-Control-Allow-Origin’ header. This is termed as the ‘Same Origin Policy’ of browsers which allows scripts running on a domain to make requests to resources on the same domain only, comprising the same URI scheme, domain and host number. There are many ways around the same origin policy- ranging from routing the request through a web proxy to using CORS (Cross Origin Resource Sharing), but the most popular method is using JSONP.

What is JSONP?

JSONP simply refers to “JSON with padding”. It is essentially a JSON response wrapped around a callback function that is specified in the URL. For instance, the following a JSON response.

{ “username”: “sdaityari”, “name”: “Shaumik Daityari”}

The same response with a callback function specified as processData is as follows.

 processData({ “username”: “sdaityari”, “name”: “Shaumik Daityari”})

How does JSONP help in working around the same origin policy?

As browsers don’t allow requests to other domains, how then do we add external files to CDNs (Content Delivery Networks) to speed up page loading and still get them to work? The hidden agenda is here is the fact that these files are present under the src attribute of <script> tags. This leads to a conclusion that anything under the <script> tags is executed by the browser under the context of the current domain!

Using the same idea, we supply a callback function, generally as a GET variable, to the src in the <script> tag, and we get a response of a JSON wrapped with the callback function. That essentially means that the callback function is executed with the JSON response as arguments. That helps in working around applications just like we did in the case of AJAX.

In the JSONP example provided, we would execute the function like the following-

 <script src=”http://www.example.com/json_data?callback=processData“></script>

By doing so, processData would be executed with the given arguments.

Why would this not work if it was returning just JSON?

In place of a JSON response padded within a function, if the server just returned a JSON, the data would not get executed, instead raising a Syntax Error. You could emulate a response by pasting some JSON into your JavaScript console.

When can it go wrong?

In the example above, the data that was returned through JSON was not so sensitive. It just contained the username and name. However, imagine an ecommerce site which stores credit card details as a part of your profile. Let’s assume the following request being made-

<script src=”http://api.myecommercesite.com/profile?callback=processData”></script>

The website api.myecommercesite.com would return the following response irrecpective of the website that requested the information.

 processData({

   “name”: “Shaumik Daityari”,

   “card_no”: “xxxx xxxx xxxx xxxx”,

   “expiry_date”: “xx-xxxx”

 });

How does an attacker use it to get your data?

In the ideal case, this data is received by the intended website and used accordingly. However, let’s say that a malicious site, www.attacker.com, gets wind of the information and tricks you into redirecting you to their server.

Basically, you are browsing www.attacker.com and you are asked to click on something. Their server then sends the same response and since you are logged into the ecommerce site, data containing your information is returned. (There are other non-JSONP related security checks which can prevent this from happening, but let’s assume there were no other security measures to prevent this from happening.)

Once a malicious site gets hold of the sensitive data, it can process the data on the context of the site, and therefore do whatsoever it wishes with the data, most probably storing it in their own servers for later use. Not only this, a malicious site can also get hold of your cookies which contain vital information that a website uses to track your progress on its site.

Using JSONP safely

The reason JSONP got so popular is the ease of use and implementation. All you need is a callback and you are done. Therefore, there are many security concerns which need to be taken care of while using this technique.

Sanitize callback

This is one little thing that can lead to dangerous consequences. In fact, many tutorials talking about the security in the JSONP method fail to get this one right. In PHP, you would generally execute the following.

 echo $_GET[“callback”] . “(“ . json_encode($my_data) . “);”;

In addition to that, vulnerabilities in JSONP have also been identified through a term called flash injection.

The right way, as explained by Dylan Tack on his blog, is to use appropriate headers to manipulate the output in case the callback is being used for an XSS attack. He uses the following code-

function generate_jsonp($data) {

 if (preg_match(‘/\W/’, $_GET['callback'])) {

   // if $_GET['callback'] contains a non-word character,

   // this could be an XSS attack.

   header(‘HTTP/1.1 400 Bad Request’);

   exit();

 }

 header(‘Content-type: application/javascript; charset=utf-8′);

 print sprintf(‘%s(%s);’, $_GET['callback'], json_encode($data));

}

Full trust on a different domain

Using the JSONP requires that you trust the remote domain fully. This essentially means that if, for some reason, the functionality remote domain breaks, your service breaks too. It remains your decision, however, whether you want to depend on a third party service.

Moreover, as we are using it under script tags, it is difficult to catch errors within it and error handling changes from browser to browser, making it difficult to manage a proper structure.

User Authentication

For argument’s sake, a possible way to login a user into a remote site using only JSONP would involve sending the username and password as GET variables (since that is the only way HTTP requests can get you the data in a script tag). It is an unsafe method of authentication and therefore, should be avoided.

For the purpose of user authentication, it’s favourable that you follow the general workflow of OAuth- redirect to parent website, authenticate the user and on successful authentication, generate and share a token.

Using CSRF tokens for write operations

In case you are using the JSONP technique to write data to your server (whether it’s create or update), you must know that JSONP uses GET, which is not secure. In order to make sure that everything goes according to plan, you could issue a token within the headers of every request. A token needs to be generated for every user who is authenticated using the step above.

That being said, there are far better options considering security during writes, updates or deletes and you should follow them rather than finding workarounds with JSONP, which should ideally be used for reads only.

Looking forward- using CORS (Cross Origin Resource Sharing)

We have seen a few use cases of JSONP and all of them can be achieved by the web proxy method too. Although the JSONP technique remains popular, the vulnerabilities in it make it a headache to implement in complex situations. CORS has been gaining popularity steadily as its support in major browsers continues to grow, and it’s taking over the uses of JSONP.

   request = new XDomainRequest();

   request.open(method, url);

   request.onload = function() {

     callback(req.responseText);

   };

   request.send(data);

How does CORS work?

The CORS process adds new HTTP headers to the request, which allows the server to serve resources, but only to requests from known and trusted domains. This means that if www.attacker.com tries to access information from api.myecommercesite.com, it would not be possible because api.myecommercesite.com would not recognize www.attacker.com! For further information on CORS, you could head over the Mozilla Developer Network.

The only drawback of CORS is the lack of support from older browsers and if you don’t care about users with those old browsers, you should definitely go ahead and give CORS a try.

No Responses

Tech Tip : Share access history in Tonido.

1. Go to Shared Files, and then to History.

2. This history tab contains information about the shared file access by guests and/or anonymous users.

No Responses

Tonido’s 10 Rules of Personal Cloud

Personal Cloud is probably the most misused term in the internet now. Every sundry public cloud storage offerings like Dropbox, Google Drive and others are masquerading themselves as Personal Clouds. Remember. It is their Personal Cloud. Not Yours. They can kick out, block or shutdown anybody at anytime. They determine how much storage you can use and have complete right to track and catalog your data.

We are one of the earliest companies who have used the term -”Personal Cloud” back in 2009 to put forth our vision. We cannot sit idle and watch the misappropriation of term and vision that we have fought for over many years.

In real sense, the word personal means “of, affecting, or belonging to a particular person rather than to anyone else”. So Personal Cloud means a cloud that is owned by you. not by others.

Like Codd’s 12 rules of database, which he put together  to prevent his vision of the relational database being diluted by vendors, We are putting together our 10 rules of Personal Cloud.

Rule 1: The Personal Cloud system should run on the device owned or fully controlled by the end user.

Rule 2: The Owner of Personal Cloud system should have complete ownership, rights of content he/she can put in the Personal Cloud System

Rule 3: The Owner of Personal Cloud system should have complete independence of content he/she can put in the Personal Cloud System

Rule 4: The Personal Cloud System (the app and the data) should be completely Local. The system should be accessible even if there is no internet.

Rule 5: The Personal Cloud System should not snoop or alter the end user content either manually or in an automated fashion

Rule 6: The Personal Cloud System should not pose any storage limits and should be accessible from anywhere.

Rule 7: The owner should be able to stop or shutdown the Personal Cloud system anytime.

Rule 8: The Personal Cloud System should be cross platform and run on all the popular desktop (Windows, Mac and Linux) OSes.

Rule 9:  The Personal Cloud System  should have clients or be accessible from all the popular mobile OSes (iOS, Android, Blackberry, Windows and others).

Rule 10: The Personal Cloud System  should run on from low to high end computing devices (Routers, NAS to PCs and Servers) and varied chipset platforms (ARM, MIPS, X86 and others).

 

If you are a user check whether your beloved service checks all of the rules here and if you are a vendor make sure you comply to all of the rules here before calling yourself as Personal Cloud.

3 Responses

Tech Tip: Setting Remote Login / Answer for More Security in Tonido

1. Click on Settings, and then on Accounts.

2. Click on Remote Login / Answer to set the Question and answer.

 

3.Enter the Remote Question and Remote Answer and Submit.

 

4. Now, when you login Tonido drive / Tonido Sync / Tonido Mobile App you have to enter Remote Answer to complete the credentials properly.

*Note: Once you have set the Remote Answer, and you fail to enter it while Login. Your Login will not be successful.

 

No Responses

Personal Cloud Tonido Launches New Windows Phone App

Secure, limitless Personal Cloud brings anywhere content access to Windows Phones

AUSTIN, Texas, Apr 24, 2014 — CodeLathe, the leader in personal cloud, today launched a new Windows Phone app for its Tonido personal cloud product. With this new release, Codelathe solidifying its leadership position in offering the best in class mobile apps across all major platforms. The new app is part of its private file sync, sharing and mobile access solution that enables data access anytime and anywhere, from any device.

“As Tonido reaches mainstream – crossing over million users, our users expect our solution to provide the best experience in all major platforms,” said Madhan Kanagavel, CEO of CodeLathe “ With this new Windows Phone app,  we are one of the very few companies that truly support all major mobile platforms. “

The fully redesigned app uses Windows modern UI to improve user experience and takes advantage of all the powerful features of Windows Phone. The app allows users to remotely access files on computer running Tonido using their Windows Phone. Tonido does more than just provide access, it also streams compatible video and misc files from computer to Windows Phones. This release includes some major features similar to the Tonido’s iOS and Android apps. Here are some of the key features of the new Windows Phone 8 app

  • Access all remote files
  • Share files with friends and colleagues
  • Download and upload files from phone
  • Automatically organize your photos, music and video collection
  • Create and Manage music playlists for your music
  • Stream video and music

“We believe in providing a great user experience through a native app that takes advantage of the underlying platform,”   said Anis Abdul, CTO of CodeLathe “Our Windows Phone app is designed ground-up for Windows, using all of its capabilities and modern UI.”

The Tonido server app is available for free download at http://www.tonido.com.

The Tonido Windows Phone app is available for free on the Windows Store at http://www.windowsphone.com/en-us/store/app/tonido/4eeacbe9-7405-47cc-acd0-f418471f992a

 

2 Responses

Restrict Upload Size for a shared Folder

All you need to do is

1. Select the folder that you need to share

 

2. Click on close on the dialog that appears

3. In the manage share dialog that appears, Click on the “Allow Selected Users”

4. Select “limited” under “Upload Size Limit(KB)” Section.

5. Enter the upload size limit in the textbox.

6. Click on “Update”

Your shared folder allows upload only till the upload size specified

 

No Responses

Tech tip : Easy Slideshow of Images via Tonido

All you need to do is,

  1. Click on Gallery. This changes the default list view to the Gallery View.

 

2. Select the folder which you need to view.

3. If the folder contains no image in it, alert will be shown

 

 

4.  Now click on the slideshow button.

 

5. Slideshow of your images under the particular folder will be started.

 

One Response