An activity stream publishing Open Web Application
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


What is this?

This is a tool for publishing a personal microblog or activity stream from a modern browser to an S3 bucket.

This is also an experiment in using Activity Streams, and in building an Open Web Application atop Amazon S3.

Why is this interesting?

This app requires a device with a modern browser and Amazon S3 to publish an activity stream on the web. Through the magic of REST, AJAX, cryptography, and an additional buzzword bingo assemblage of Open Web technologies, you need neither set up a server nor install any software on your computer.

How do I use it?

I plan to write a friendlier guide to this thing when it matures, but here's the skinny:

Wait, what? Is this secure?

The short answer is: I don't know how secure this is. It might not be. You tell me!

Why register? And what happens to your valuable and sensitive AWS credentials? Those credentials—and your biographical details—are really too long to remember and cumbersome to type repeatedly, or at all on a mobile device. But, this app still needs them. So, a username and password are a bit more friendly, memorable, and familiar.

This is a compromise between usability and protecting your Access Credentials—but I may be mistaken and might have instead compromised the keys to your AWS account altogether. You decide:

When you "register", the data your submit is encrypted with your password, using AES. That encrypted bundle is then stored on S3 with an URL based on a SHA1 hash of your username. That resource is world-readable.

Later, when you "login", the encrypted bundle is fetched with your username and your password is used to decrypt it. This supplies the app with your AWS Credentials, along with preferences and your biographical profile information.

(I stole this idea from Jacob Wright, by the way.)

If you're paranoid (and you should be), this is why I mentioned using IAM to create a new user earlier. This is an experiment, and though I promise I'm not going to do anything malicious, you might not want to trust that I know what I'm doing. If you create a limited-permission set of credentials, the damage can be minimized in case I'm totally mistaken about what I'm doing here.

Miscellanea and credits