• Coding

  • Is it possible to encode VB desktop app url

Your description is quite confusing.
You have a "vb" (a vb what? a script?) which calls a server, which executes a PHP script... which opens another address?
What is the aim of all that? Maybe that would help understanding. And who coded what?
I'd really like to help but I don't like giving advice when I'm not sure that I understood the problem.

PS: I understand you have access to the server, so why don't you just set up HTTPS and have that serve the PHP app... would that solve your problem?
i don't have access to the server. The creator of the software asked for my help to rewrite the server side application using django, but i don't think it will work without rewriting the client as well. So I'm here asking if there a quick fix rather than recreating the whole system.

The server side php application, tells the visual basic application sitting on the desktop to open a url.
the visual basic application acts like a web browser, it shows you the web page.
The user should not be able to see the url, it has to be encoded.
https will not solve the problem.

I didn't code anything, some guy wants to hire me to fix that mess. I can't give more details since it's not my project, besides i don't have too much information, i haven't seen the source code, and i don't have access to the server.
venam, if you were in my place, what would you do? I'm thinking not to accept the project, since even after rewriting the whole thing, it just won't work
Fischer I didn't understand at all what you're going for.

However, do you realize how difficult it would be to have the client contact the server without knowing its url? This has nothing to do with securing the server, HTTPS, VB, PHP or REST. It would be like sending something through the mail without knowing the address of your recipient.

That being said, with a clever play of redirection and a few servers acting as middleware between your client and your endpoint, you devise a scheme that would obfuscate enough your target url so that it's practically impossible to know where the end data is ultimately headed. However the client (the VB program) needs to know at least the first address to connect to. How does it connect to the PHP server in the first place?

What I understand it's doing now 


    +-----------+                        +-----------+
    |           +---+1.request+----------> known URL |
    | client    <---+2.secretURL+--------+           |
    |           |                        | PHP server|
    +-----------+                        +-----------+
                |
                |
                |
                |
                |                        +-----------+
                |                        | unkown URL|
                +---+3.request+--------->|           |
                                         | secret!   |
                                         +-----------+
Why don't you try doing this? 
 +-----------+                        +-----------+                    +-----------+
 |           +---+1.request+----------> known URL +-----+2.getHTML+--->| unkown URL|
 | client    <---+4.forwardHTML+------+           <-----+3. HTML+------+           |
 |           |                        | PHP server|                    | secret!   |
 +-----------+                        +-----------+                    +-----------+
The user will most likely never get access to unkownURL, but it needs to know known URL.

Obviously the schema is a small simplification, and your business case might be more complicated than that. But the point is, you should never implement this sort of obfuscation client-side. It's absolutely useless. (That's the first rule of web security. You would think that by now you won't come across client-side data validation anymore!)
One thing that I find hard to understand is how the web-application controls the desktop application. Is the desktop application always running and listening on a port or scrapping some data until a certain event?
Yes that's true, ping every 10s to check the connection.

ok guys, i don't know if i'm allowed to do this, i'm gonna tell you what the app is supposed to do.

it's kinda like adsense, but not on webpages, instead, it's a desktop application that runs on your desktop and shows you the ads. So you see?

yes rahmu, you're right, i've seen this method on stackoverflow yesterday just before i asked my question, never tried it before. i'll tell the programmer who created the project about that method. I'm out, I don't want to waste a wonderful summer break on this project.
How can the user "see" the URL?
What part of the URL do you want to hide? Do you want the user not to be able to find the IP of the server or connexion endpoint? Maybe you can look for proxies, public VPNs or look into Tor. This is gonna be difficult...
If you just don't want the user to understand the query part of the URL, then yeah you can encode it or use HTTPS or some other tunnel.
A "regular" user will not know how to capture network packets so this only applies to advanced users. For most users, just not showing the URL in the app is enough.

PS: yes, I would hate to be working on that project either :)
@rolf the system will need to be as secured as possible since it's am ad serving platform, money could be stolen. So you never know if your users are advanced users or not. Anyway, I am not going to be a part of this project, it sucks working on a project where your only job is to secure a platform, security is a very big subject, and you'll never stop working on it. Such projects never ends and i'm a student, i am going to take summer courses, i'm avoid being a part of projects like that one, i will not be able to focus on my studies.