Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/clouedoc/things3-server

A Things3 server with a focus on preserving your privacy.
https://github.com/clouedoc/things3-server

things3

Last synced: about 2 months ago
JSON representation

A Things3 server with a focus on preserving your privacy.

Awesome Lists containing this project

README 

          
# Things3 Server



> A Things3 server with a focus on preserving your privacy.



TODO lists contain a ton of sensitive information. From your habits,

hopes&dreams and your bank passwords, they constitute an ideal target for both

passive mass surveillance, targeted attacks or rogue employees.



Thus, ideally, as one's TODO list, one should be meticulous about the software

they pick. In practice, it's challenging enough to find an app that you like,

and straight impossible to find one that both meets your operative requirements

and security requirements.



Enter `things3-server`: my small contribution to making your life easier, as a

busy hacker trying to organize your life!



`things3-server` is a simple HTTPS server that (currently) proxies the requests

made by the Things3 apps to Things3 Cloud.



However, it encrypts the text contents, which prevents your data from being

stored on Things3's servers plaintext.



## WIP



I personally use this software. It works, but it's not perfect.



Here are some areas I would like to improve:



- It shouldn't even use Things3 Cloud as a backend. There is no reason to expose

  metadata to the app developers. The API is quite simple and could be

  replicated quite easily. This will be the next milestone for `things3-server`.

- It leaks if the DNS interception fails, e.g., if Tailscale gets disconnected,

  and you create a task, it will be stored plaintext on their server forever

  - ...unless you delete your account, or you log in again + choose to preserve

    only the data stored on your device.

  - Do note that it works and is handled gracefully by the current version of

    the software, as plaintext data gets re-encrypted once edited from another

    device. However, beware that the full history of all edits is conserved and

    visible from the Things3 Cloud API.

- You add your server as a point of failure. If someone gets access to your

  hosting server, your data is going to be compromised.



## Installation



This section contains the (currently unfinished) installation instructions.



Beware that the setup is a bit convoluted, so if you're not super tech-savvy,

you should email me so that I can ping you once a more consumer-grade version of

the software is available.



### Overview



To connect to the Things3 cloud server, the Things3 app issues a DNS request to

`cloud.culturedcode.com`. `things3-server` works by configuring a custom DNS

server that returns an IP address of a server we control as well as installing

an SSL certificate on MacOS&iOS that allows `things3-server` to present itself

as `cloud.culturedcode.com`.



Here is a step-by-step explanation of how it works:



1. Things3 asks our custom DNS server the IP address of `cloud.culturedcode.com`

2. Our DNS server returns `1.2.3.4` (the IP of our `things3-server`

   installation)

3. Things3 connects to `1.2.3.4`

4. `things3-server` responds with our custom SSL certificate

5. Things3 will approve the certificate since we previously installed it on our

   iPhone/Mac/iPad

6. Things3 communicates with `things3-server` which encrypts&decrypts sensitive

   fields in the data on-the-fly.



### Setting up a server



1. Any host will do

2. Make sure to block port 53 and 443 in your firewall as you'll use Tailscale

   to communicate with your server

3. Install Tailscale, make sure to connect it to the same Tailnet as your iPhone

   and Mac



### Setting up DNS interception



1. Setup Tailscale on your hosting server

2. Setup Tailscale on your iPhone + MacOS device

3. Tailscale: edit DNS settings. In "Nameservers," add a nameserver that points

   to your hosting server's Tailscale IP. Enable Split DNS for

   cloud.culturedcode.com.

4. Run the DNS server with `deno run --allow-net dns.ts`



### Setting up a custom SSL certificate for cloud.culturedcode.com



#### Generating the SSL certificate



```bash

mkdir ssl && cd ssl

openssl genrsa -out cert.key 2048

# Note: a SAN is required by iOS. Otherwise, an error will be thrown and visible in the console.

# If you have issue, look at the console for this log line: Trust evaluate failure: [leaf SSLHostname]

openssl req -new -x509 -key cert.key -out cert.crt -days 365 \

  -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=ACME Corp/OU=Security Department/CN=cloud.culturedcode.com" \

  -addext "subjectAltName = DNS:cloud.culturedcode.com,DNS:cloud.culturedcode.com"

cat cert.key cert.crt > cert.pem

cd ../

```



#### Installing the SSL Certificate



This section shows how to install the SSL certificate on different platforms.



Contributions showcasing more complete installation instructions are welcome.



##### MacOS



Double-click on `ssl/cert.crt`.



Click "details" and click "always trust."



Install the certificate in the "System" keychain.



##### iOS



AirDrop `ssl/cert.crt` to your iPhone.



Pick "iPhone" if asked where to install the certificate.



Go to your settings, find the certificate and install it.



Then, type "Trust" in your search bar, and find a toggle that says

"cloud.culturedcode.com"; activate it.



## Maintenance



If you are upgrading to a new version that encrypts a new field, you will have to "reset" your history.



It's also useful to do this if you accidentally added a task from a client connected directly to Things Cloud rather

than your personal server, in which case, the data was sent unencrypted.

(a future version will store the data

on your server directly, which should prevent this class of issues altogether)



### Taking a backup



Just making sure to not use the Things app on your phone; it'll serve as a backup if anything goes wrong.



### Operation



1. Sign out of Things Cloud

2. Sign in again

3. When asked, say to upload tasks from your Mac

4. Done! Your Things Cloud history is now a clean single encrypted update.