There are times when you work with SSL traffic. Your website might be protected with a certificate so that traffic between you and the client is secure. At times like this, being a developer is troublesome. Browser cache settings need to be analyzed by looking at the HTTP headers. Encoding / Content type may need to be analyzed to ensure that a particular page is displayed correctly. These things cannot be looked into if the traffic is secure. There are situations under which the environment is secure but you must still sniff the data. So how do you manage this ?

Tools like Charles (A debugging proxy) help you do this. Charles allows you to proxy to a secure connection over a protocol like HTTPS and still read the traffic. So how does it do this ? Lets have a look.

Your environment probably has a self signed certificate like the one issued below, using keytool.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

keytool -genkey -keyalg RSA -keysize 1024 -alias example.com -keystore mystore.ks -validity 9999
 
keytool -list -keystore ./mystore.ks -v
 
Enter keystore password:  changeit
 
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: example.com
Creation date: Dec 21, 2009
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=www.org.com, OU=Org, O=SomeCompany, L=Somewhere, ST=Someplace, C=US
Issuer: CN=www.org.com, OU=Org, O=SomeCompany, L=Somewhere, ST=Someplace, C=US
Serial number: 4b2ef9e0
Valid from: Mon Dec 21 10:00:24 GMT+05:30 2009 until: Thu May 07 10:00:24 GMT+05:30 2037
Certificate fingerprints:
MD5:  XX:XX:XX...
SHA1: XX:XX:XX...
 
*******************************************
*******************************************

When a certificate like this one is presented to a web browser, it will look like so. Let’s extract the certificate and open it up.

1

keytool -export -keystore ./mystore.ks -file ./testtex.crt -alias example.com

Untrusted self signed certificate:

Our certificate is obviously not trusted since it is self signed. A certificate signed by a CA will not exhibit a security warning. Like the one presented by google for the gmail login page, which is shown below

Trusted certificate from google.com:

When you start a proxy that has HTTPS support, say charles for instance, it does the magic by inserting its own certificate into the certificate hierarchy. The Charles CA Certificate, now becomes the root certificate in this hierarchy, allowing it to decrypt the information that is sent between the client and server.

Modified certificate hierarchy:

Charles signs the certificate that google presents, so it will now be able to decrypt the information that is sent by the server. However the side effect is that your browser will no longer trust this certificate since the root CA is not in your trusted store.

Untrusted connection due to modified hierarchy:

You can get over the problem by importing the certificate or installing it into the MS trust store. This is one technique that proxies use to debug traffic. Know of another method / proxy software ?  Leave a comment. Happy debugging

Things got even better today when we got our second google wave account for the same user. mmm wait… a second google wave account ? Yep. Google wave is split into googlewave.com accounts for normal end users and the wavesandbox.com accounts for developers and geeks. It is interesting to note the differences.

Googlewave:

• Is a little less buggier. It has more features like read only waves that the sandbox is missing.

• Linked to your existing gmail and docs. All your existing contacts can be… contacted.

• Has this cool green box that opens up for active wave conversations.

• No debugging or anything technically related.

• Number of invites allowed are varied. If you requested for the account yourself, you get anywhere from 8 – 22 invites (from what I have heard so far).

Wave sandbox

• Pretty buggy and is a developer’s paradise.

• Not linked to any existing accounts. You start everything afresh.

• Missing a lot of feature like read only waves.

• No invites allowed. Period At least this is true for our developer account

• Has some cool debugging features that allow you to throw exceptions / view internal logs etc.

Both accounts however allow you to deploy robots. The googlewave.com accounts are more user friendly and the wavesandbox.com accounts are more inclined to help developers write better robots. Depending on what you asked for (did you select the ‘I am a developer option?’) google gives you appropriate access to an account. And if you were wondering, no, you cannot add a friend that has a wavesandbox account into the googlewave.com waves. So which wave are you in ?

There are times when you need to display wireframes of your application for internal discussions / presentations etc. Some online applications allow you to draw a wireframe in no time. Here are a few of them

Balsamiq mockups:

Creately:

Fore UI:

Hot gloo:

iplotz:

Pencil: Mozilla firefox plugin based

Axure:

Each application has its own style of doing the mockup. Some use an informal approach. Other advanced ones let you click and see the results then and there. There are other tools out there that also run on desktops and IDEs like eclipse, Netbeans etc if you are looking for an offline solution.

Apparently it might be able to. Google has launched a flu trend service that can be used to determine the trends behind a flu pandemic / seasonal flu.

The flu trends faq hints at being able to detect pandemic flu. The quote from the faq reads

How is Google Flu Trends useful for pandemic flu?
Google Flu Trends models are built based on historic flu surveillance data. When a new flu virus causes the same symptoms as seasonal flu, Google Flu Trends can detect if overall flu rates are significantly increasing. Some search queries tend to be popular exactly when flu is happening, and are therefore good indicators of flu activity.

Google tries to understand search data and its related patterns and then determines if the search was related to a flu in any way. It then maps this search to geo data to find out how the flu spreads.

This service is really neat. However it may not actually hint at flu levels for a given country / city. Just because I search for ‘swine flu’,  does not mean I have it. I might simply be interested in knowing what swine flu is all about. It can be argued however that regions that have swine flu cases will search more for preventive measures, vaccinations, drugs to take etc etc. Interestingly the service is also available in mexico although it is supposed to be experimental (in mexico) for now.

So how can google cross verify search data with actual statistics ? They thought about that as well. Google expects governments to provide data on influenza like illnesses. Once the service is launched for that country, the online data is matched with the data provided by the government.