Things3 Server

A Things3 server with a focus on preserving your privacy.

TODO lists contain a ton of sensitive information. From your habits, hopes&dreams and your bank passwords, they constitute an ideal target for both passive mass surveillance, targeted attacks or rogue employees.

Thus, ideally, as one's TODO list, one should be meticulous about the software they pick. In practice, it's challenging enough to find an app that you like, and straight impossible to find one that both meets your operative requirements and security requirements.

Enter things3-server: my small contribution to making your life easier, as a busy hacker trying to organize your life!

things3-server is a simple HTTPS server that (currently) proxies the requests made by the Things3 apps to Things3 Cloud.

However, it encrypts the text contents, which prevents your data from being stored on Things3's servers plaintext.

WIP

I personally use this software. It works, but it's not perfect.

Here are some areas I would like to improve:

• It shouldn't even use Things3 Cloud as a backend. There is no reason to expose metadata to the app developers. The API is quite simple and could be replicated quite easily. This will be the next milestone for things3-server.
• It leaks if the DNS interception fails, e.g., if Tailscale gets disconnected, and you create a task, it will be stored plaintext on their server forever
  • ...unless you delete your account, or you log in again + choose to preserve only the data stored on your device.
  • Do note that it works and is handled gracefully by the current version of the software, as plaintext data gets re-encrypted once edited from another device. However, beware that the full history of all edits is conserved and visible from the Things3 Cloud API.
• You add your server as a point of failure. If someone gets access to your hosting server, your data is going to be compromised.

Installation

This section contains the (currently unfinished) installation instructions.

Beware that the setup is a bit convoluted, so if you're not super tech-savvy, you should email me so that I can ping you once a more consumer-grade version of the software is available.

Overview

To connect to the Things3 cloud server, the Things3 app issues a DNS request to cloud.culturedcode.com. things3-server works by configuring a custom DNS server that returns an IP address of a server we control as well as installing an SSL certificate on MacOS&iOS that allows things3-server to present itself as cloud.culturedcode.com.

Here is a step-by-step explanation of how it works:

1. Things3 asks our custom DNS server the IP address of cloud.culturedcode.com
2. Our DNS server returns 1.2.3.4 (the IP of our things3-server installation)
3. Things3 connects to 1.2.3.4
4. things3-server responds with our custom SSL certificate
5. Things3 will approve the certificate since we previously installed it on our iPhone/Mac/iPad
6. Things3 communicates with things3-server which encrypts&decrypts sensitive fields in the data on-the-fly.

Setting up a server

1. Any host will do
2. Make sure to block port 53 and 443 in your firewall as you'll use Tailscale to communicate with your server
3. Install Tailscale, make sure to connect it to the same Tailnet as your iPhone and Mac

Setting up DNS interception

1. Setup Tailscale on your hosting server
2. Setup Tailscale on your iPhone + MacOS device
3. Tailscale: edit DNS settings. In "Nameservers," add a nameserver that points to your hosting server's Tailscale IP. Enable Split DNS for cloud.culturedcode.com.
4. Run the DNS server with deno run --allow-net dns.ts

Setting up a custom SSL certificate for cloud.culturedcode.com

Generating the SSL certificate

mkdir ssl && cd ssl
openssl genrsa -out cert.key 2048
# Note: a SAN is required by iOS. Otherwise, an error will be thrown and visible in the console.
# If you have issue, look at the console for this log line: Trust evaluate failure: [leaf SSLHostname]
openssl req -new -x509 -key cert.key -out cert.crt -days 365 \
  -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=ACME Corp/OU=Security Department/CN=cloud.culturedcode.com" \
  -addext "subjectAltName = DNS:cloud.culturedcode.com,DNS:cloud.culturedcode.com"
cat cert.key cert.crt > cert.pem
cd ../

Installing the SSL Certificate

This section shows how to install the SSL certificate on different platforms.

Contributions showcasing more complete installation instructions are welcome.

MacOS

Double-click on ssl/cert.crt.

Click "details" and click "always trust."

Install the certificate in the "System" keychain.

iOS

AirDrop ssl/cert.crt to your iPhone.

Pick "iPhone" if asked where to install the certificate.

Go to your settings, find the certificate and install it.

Then, type "Trust" in your search bar, and find a toggle that says "cloud.culturedcode.com"; activate it.

Maintenance

If you are upgrading to a new version that encrypts a new field, you will have to "reset" your history.

It's also useful to do this if you accidentally added a task from a client connected directly to Things Cloud rather than your personal server, in which case, the data was sent unencrypted. (a future version will store the data on your server directly, which should prevent this class of issues altogether)

Taking a backup

Just making sure to not use the Things app on your phone; it'll serve as a backup if anything goes wrong.

Operation

1. Sign out of Things Cloud
2. Sign in again
3. When asked, say to upload tasks from your Mac
4. Done! Your Things Cloud history is now a clean single encrypted update.