Community
Email Notification Idea
Links used in this discussion
While setting up the MSI Installer, I had an idea about the email notification portion that I wanted to share. Paid users could have an online account that links to their installer that allows them to configure some of the extra options such as the authentication and email notifications of a new ID being generated. Then the application rather than sending the notifications through SMTP could relay that info to RemoteUtilities (or other repeater?) where the info could then be emailed to the user.
The difference is that if the host gets decompiled, there is a chance of disclosure of where the emails are being sent, and maybe passwords as well. As it is I created a new gmail account, set it to forward to my normal account and then deletes it, wrote a script that auto flushes the trash every minute on that account so there is no record of it.
If my Viewer was linked to my account here, then I could set my notification options here, and you could even have each new connection randomly generate a 64bit password. I think this would dramatically increase the security for those using the notification system.
Go to https://script.google.com
Then create a new project and paste the below into it:
function removeMyTrash() {If you try and run the script as is it will error out.
var mymail = "email@gmail.com";
var mylabel = "trash";
var permanentlyRemoveMyLabel = true;
var pageToken;
do {
var threadList = Gmail.Users.Threads.list('me', {
q: 'in:' + mylabel,
pageToken: pageToken
});
if (threadList.threads && threadList.threads.length > 0) {
threadList.threads.forEach(function(thread) {
Logger.log('id: %s snippet: %s', thread.id, thread.snippet);
if (permanentlyRemoveMyLabel) {
Gmail.Users.Threads.remove(mymail, thread.id);
Logger.log('id: %s snippet: %s REMOVED', thread.id, thread.snippet);
}
});
}
pageToken = threadList.nextPageToken;
} while (pageToken);
}
Next you click on Resources and go to Advanced Google Services.
Scroll down to Gmail API and turn that on.
Next click Google Cloud Platform Link on that same window that came up where you enabled the Gmail API.
Then click on the Enable services and API and search for Gmail. Click on Gmail and then enable it.
Then go back to your script screen and click on the menu Edit and go to Current project's triggers.
Set a trigger to run the script either every minute or whatever time interval that you want the script to run and empty your trash.
Keep in mind you can delete from IN:TRASH IN:SPAM or whatever other label you want. It won't delete reminders and the deletion is final. You can't recover any of the emails.
Thank you for purchasing a license!
Sorry for that, we will be re-writing the File Transfer module some time soon.and having some trouble with the file transfer portion of the app
Implementing an online account is indeed in our plans for the future. However, making the installer send emails via our company-hosted script would be a step back to the mechanism which we have abandoned in favor of the "SMTP method".While setting up the MSI Installer, I had an idea about the email notification portion that I wanted to share. Paid users could have an online account that links to their installer that allows them to configure some of the extra options such as the authentication and email notifications of a new ID being generated. Then the application rather than sending the notifications through SMTP could relay that info to RemoteUtilities (or other repeater?) where the info could then be emailed to the user.
If you mean Host access passwords, they are not disclosed. When you choose "Automatically generate Host password" the password is encrypted with a public key on the Host side. In order to decrypt it one needs the private key which only resides on the Viewer side, initially in the Viewer where you actually built the installer although you can also copy the key to another Viewer.The difference is that if the host gets decompiled, there is a chance of disclosure of where the emails are being sent, and maybe passwords as well. As it is I created a new gmail account, set it to forward to my normal account and then deletes it, wrote a script that auto flushes the trash every minute on that account so there is no record of it.
If you mean the SMTP password though, it's indeed can be extracted from the installer but that's "by design". There is simply no other way to simultaneously protect the SMTP password and use it on the same Host. We explicitly warn the user about this:
Also, we do suggest that the user avoid entering their primary email account credentials and instead use a "disposable" email account for that single purpose of receiving Host notifications. Even if someone gets access to those emails they won't be able to connect to Hosts because of the above mentioned reasons - they won't be able to find out the password because it is never sent plain in an email. Besides, there is also two-factor authentication which can be enabled for added security.
Let us know if you have any questions. Thanks.
As your disclosure states, when the destination email address, and SMTP settings are retrievable, then unless someone did what I did, that email account could potentially contain all the ID numbers associated with the account. While I realize that there is some additional protection with the password, this seems like a nice option was all I was trying to convey.
Thank you for the clarification. Still, this requires a centralized system with our service at the center, and this is exactly what we moved away from (due to abuses of the system and antivirus software being angry at us about that as a consequence).
However, we may look closer at this idea when we start implementing an online account.
Shouldn't the pop up message say, "Instead, create and use a dedicated and disposable email account for the only purpose of sending Host notifications"? The password is for the sending email account, not for receiving notifications.
That makes perfect sense, thank you for the suggestion. I will ask our development to correct the phrase in the nearest updates.
* Website time zone: America/New_York (UTC -4)