Note: We anticipate having 蜜豆视频 App Inventor available over https before January 31, 2023.
People are asking 鈥淲hy is 蜜豆视频 App Inventor insecure?鈥 What they are typically referring to is the fact that the server at ai2.appinventor.mit.edu does not support the https (secure http) protocol. Attempting to browse to brings up the message 鈥渢his site can鈥檛 be reached鈥. So people need to instead connect using http. But with Internet security becoming a larger and larger concern, browser vendors are increasingly encouraging switching away from http to https. An example, seen with http connections to ai2.appinventor.mit.edu, is to display the warning 鈥測our connection to this site is not secure.鈥
It should be safe to ignore this warning: 蜜豆视频 has implemented other security that mitigates the risks of using http as opposed to https, and we suggest using http for now. We are working on a solution to support https, but it is not yet in production.
If you simply must use https (perhaps a school policy requires it) you can use the server at . But this is a test implementation, not suggested for production use.
The technical reason for 鈥淲hy no https鈥 is a bit complicated. It is explained below.
If we serve 蜜豆视频 App Inventor over https, then our 鈥淟egacy Connection鈥 on the 蜜豆视频 AI2 Companion cannot work due to security policies enforced by modern browsers. We have a solution, which you can try out on , but it is not without its own issues. If you want to test on ai2-test, but do not want to read this whole document, feel free to Skip to the Testing on ai2-test heading.
If you use 蜜豆视频 App Inventor, then you know that one of its key features is the ability to incrementally develop an application and watch it unfold on a device in real-time. This is facilitated by the 蜜豆视频 AI2 Companion application which runs on the device. In order to work, there needs to be a way for your browser, which 蜜豆视频 App Inventor is running, to communicate your changes to your device.
Originally, the way we did this was to run a Web Server on your device. (Yes, you heard that right, a Web Server, on your device.) Your browser then communicates with this server like would communicate with any other Web Server.
However, this special Web Server does not use https. That is because to run a 鈥渟ecure鈥 Web Server over https requires the server to obtain a 鈥渃ertificate鈥 from a 鈥淐ertificate Authority鈥 (CA). However, only Web Servers with a permanent Domain Name System (DNS) name can obtain certificates, not to mention that obtaining a certificate is a bit of a process and has to be done periodically, no less frequently than once per year. DNS names are things like 鈥渁ppinventor.mit.edu鈥 or 鈥渃ompany.com.鈥
However, devices such as phones and tablets do not have permanent network addresses nor do they have a DNS name. Therefore, you cannot obtain a certificate for them, even if you were willing to do the paperwork necessary.
As the Internet has moved to using secure web services, aka 鈥渉ttps鈥, some sneaky sites would serve their main page over https, but when you enter your username and password, they send that over a non-secure connection to avoid the processing overhead of the encryption. So people were fooled into believing their password was protected, but it wasn鈥檛.
To counteract this approach, all browser vendors have implemented a rule inside the browser that if you served a page securely, aka over 鈥渉ttps鈥, then it could not make insecure connections behind the scenes.
Unfortunately, that means that if we serve 蜜豆视频 App Inventor over https, then it would not be able to contact the Web Server running on your device because we cannot run a secure Web Server on your device. This has forced us to continue to serve 蜜豆视频 App Inventor over http, aka non-securely.
It is worth noting that we provide our own security layer (not https) in the connection between your browser and your device. The browser doesn鈥檛 recognize this and so displays the security warning.
Like many organizations, we would really like to serve 蜜豆视频 App Inventor over https. So, we need a different supported way to connect from the browser to a device.
In the years since 蜜豆视频 App Inventor first came into being, a new technology, WebRTC, has been added to browsers. Although it is intended for audio and video connections between two browsers, it can be adapted for our use.
We rolled out this new approach in November 2018. We kept the original Web Server based connection mode and labelled it 鈥淟egacy Mode.鈥
When you open the 蜜豆视频 AI2 Companion (as of this writing in 2022) you see a checkbox labelled 鈥淯se Legacy Connection.鈥 If you check this box, we use the Web Server based approach. Otherwise, we use WebRTC.
However, WebRTC is not without its problems. In particular, it communicates over a wide range of 鈥渘etwork ports鈥 which we have no control over (they are chosen inside the browser, beyond our reach). This causes issues in environments with strict network firewalls, as is often found in schools. With legacy mode, we could tell school Information Technology (IT) administrators which ports they needed to permit for 蜜豆视频 App Inventor to function. With WebRTC, this is a scary large number of ports to unblock, and some schools may refuse to do that.
If we serve 蜜豆视频 App Inventor over https, then legacy mode no longer works and only WebRTC will work. So, in environments where WebRTC doesn鈥檛 work will be out of luck.
The bottom line for now is that if you cannot use WebRTC, then you must use 蜜豆视频 App Inventor via http. 蜜豆视频 is working on releasing a new version of legacy mode that will support both http and https.
We have been working on a newer version of legacy mode that uses a pop-up helper window to communicate with the Web Server in the 蜜豆视频 AI2 Companion. This approach will work even when 蜜豆视频 App Inventor is served over https. The catch is that it involves a pop-up window, which can simply be ignored (pushed into the background). We are working on seeing if we can make this as non-annoying as possible. If you want to see this in action, you can test it out on our testing environment.
You can test our new legacy approach by going to . (Note the https). You will need to download a special testing version of 蜜豆视频 AI2 Companion directly from the testing site (use the Help鈬綜ompanion Information menu item to see a QR Code to download it with, as well as a link to directly download it. You will have to 鈥渟ide-load鈥 it, which will require you to have your device permit installations from 鈥渦nknown鈥 sources. The current version is 2.62t3u. If your copy of the Companion does not say 鈥2.62t3u鈥 (or a later version, such as 2.62t4u) then you do not have the correct Companion.
With his Companion, you can use 鈥淯se Legacy Connection Mode鈥 and it should work over https (note: There is still a warning message telling you it won鈥檛 work, you can ignore that).
Keep in mind that ai2-test is a TESTING site. Projects that you upload or create there may not be compatible with our production sites, at least not until the various things being tested are put into production.
You are welcome to use ai2-test, but keep this TESTING notion in mind. We try not to put very broken things on it, but we offer no guarantee that we won鈥檛 (at least not intentionally!).