Mathstodon

0 posts0 participants0 posts today

xoron :verified:id like to share some details about how my app works so you can discover/give me feedback on my app. id like to have wording in my app to say something like "most secure chat app in the world"... i probably cant do that because it doesnt qualify.<a href="https://github.com/positive-intentions/chat" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/positive-intentions/chat</a><a href="https://positive-intentions.com/blog/introducing-decentralized-chat" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://positive-intentions.com/blog/introducing-decentralized-chat</a>im not an expert on <a href="https://infosec.exchange/tags/cyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cyberSecurity</a>. im sure there are many gaps in my knowlege in this domain.using <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#javascript</a>, i initially created a fairly basic <a href="https://infosec.exchange/tags/chatApp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#chatApp</a> using using <a href="https://infosec.exchange/tags/peerjs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#peerjs</a> to create <a href="https://infosec.exchange/tags/encrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#encrypted</a> <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webrtc</a> <a href="https://infosec.exchange/tags/connections" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#connections</a>. this was then easily enhanced by exchanging additional <a href="https://infosec.exchange/tags/encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#encryption</a> <a href="https://infosec.exchange/tags/keys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#keys</a> from <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cryptography</a> functions built into browsers (<a href="https://infosec.exchange/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webcrypto</a> api) to add a redundent layer of encryption. a <a href="https://infosec.exchange/tags/diffieHelman" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#diffieHelman</a> key <a href="https://infosec.exchange/tags/exchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#exchange</a> is done over <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webrtc</a> (which can be considered <a href="https://infosec.exchange/tags/secure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#secure</a> when exchanged over public channels) to create <a href="https://infosec.exchange/tags/serverless" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#serverless</a> <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#p2p</a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#authentication</a>.- i sometimes recieve feedback like "javascript is inherently insecure". i disagree with this and have <a href="https://infosec.exchange/tags/openedSource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#openedSource</a> my <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cryptography</a> module. its basically a thin wrapper around vanilla cryptography functions of a <a href="https://infosec.exchange/tags/browser" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#browser</a> (webcrypto api).- another concern for my kind of app (<a href="https://infosec.exchange/tags/PWA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PWA</a>) is that the developer may introduce malicious code. this is an important point for which i open sourced the project and give instructions for <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfhosting</a>. selhosting this app has some unique features. unlike many other <a href="https://infosec.exchange/tags/selfhosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfhosted</a> <a href="https://infosec.exchange/tags/projects" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#projects</a>, this app can be hosted on <a href="https://infosec.exchange/tags/githubPages" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#githubPages</a> (instructions are provided in the readme). im also working towards having better support for running the index.html directly without a static server.- to prevent things like browser extensions, the app uses strict <a href="https://infosec.exchange/tags/CSP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CSP</a> headers to prevent <a href="https://infosec.exchange/tags/unauthorised" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#unauthorised</a> code from running. <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfhosting</a> users should take note of this when setting up their own instance.- i received feedback the <a href="https://infosec.exchange/tags/Signal" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Signal</a>/#Simplex protocol is great. completely undertsandable and agree, but wonder if im reducing the <a href="https://infosec.exchange/tags/complexity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#complexity</a> by working with <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webrtc</a>. while it has its many flaws, i think risks can be reasonable mitigated if the <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cryptography</a> functions are implemented correctly. (all data out is <a href="https://infosec.exchange/tags/encrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#encrypted</a> and all data in is <a href="https://infosec.exchange/tags/decrypted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#decrypted</a> on-the-fly)- the key detail that makes this approach unique, is because as a <a href="https://infosec.exchange/tags/webapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webapp</a>, unlike other solutions, users have a choice of using any <a href="https://infosec.exchange/tags/device" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#device</a>/#os/#browser. while a webapp can have nuanced <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#vulnerabilities</a>, i think by <a href="https://infosec.exchange/tags/openSourcing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#openSourcing</a> and providing instructions for <a href="https://infosec.exchange/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfhosting</a> and instructions to <a href="https://infosec.exchange/tags/build" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#build</a> for various <a href="https://infosec.exchange/tags/platforms" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#platforms</a>, it can provide a reasonable level of <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a>.i think if i stick to the principle of avoiding using any kind of "required" service provider (myself included) and allowing the <a href="https://infosec.exchange/tags/frontend" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#frontend</a> and the peerjs-server to be <a href="https://infosec.exchange/tags/hosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hosted</a> <a href="https://infosec.exchange/tags/independently" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#independently</a>, im on track for creating a <a href="https://infosec.exchange/tags/chatSystem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#chatSystem</a> with the "fewest moving parts". i hope you will agree this is true <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#p2p</a> and i hope i can use this as a step towards true <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#privacy</a> and <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a>. <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> might be further improved by using a trusted <a href="https://infosec.exchange/tags/VPN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VPN</a>.while there are several similar apps out there like mine. i think mine is distinctly a different approach. so its hard to find <a href="https://infosec.exchange/tags/bestPractices" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#bestPractices</a> for the functionalities i want to achieve. in particular <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> practices to use when using <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#p2p</a> technology.(note: this app is an <a href="https://infosec.exchange/tags/unstable" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#unstable</a>, <a href="https://infosec.exchange/tags/experiment" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#experiment</a>, <a href="https://infosec.exchange/tags/proofOfConcept" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#proofOfConcept</a> and not ready to replace any other app or service. It's far from finished and provided for <a href="https://infosec.exchange/tags/testing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#testing</a> and <a href="https://infosec.exchange/tags/demo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#demo</a> purposes only. This post is to get <a href="https://infosec.exchange/tags/feedback" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#feedback</a> on the progress to determine if i'm going in the right direction for a secure chat app)

xoron :verified:<a href="https://infosec.space/@kkarhan" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@kkarhan</a> thanks for the reply! far from being discouraged, i appriciate your engagement. i will try to be reasonably brief in my reponse to your points and give a general update on progress and objective.> scout out existing solutionsi have seem similar <a href="https://infosec.exchange/tags/webapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webapp</a> implementation, i think so far for "that kind" of chat app, the chat app is able to demonstrate similar basic functionality. for a wider adoption, the user interface needs to be more appealing, but i think its important to have a working proof-of-concept first. the project is specifically aiming to be a <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#javascript</a> <a href="https://infosec.exchange/tags/localFirst" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#localFirst</a> <a href="https://infosec.exchange/tags/webapp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webapp</a>.a couple notable similar implementation to mine are: - <a href="https://github.com/cryptocat/cryptocat" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/cryptocat/cryptocat</a> - <a href="https://github.com/jeremyckahn/chitchatter" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/jeremyckahn/chitchatter</a> (im sure there are many more, but i think my approach is yet different and unique to the ones i've come across.)> DO NOT DIY ENCRYPTION!this is indeed a reccomended practice i have seen several times. here is a previsous reddit post on the matter: <a href="https://www.reddit.com/r/cryptography/comments/1cint8h/what_are_your_thoughts_on_subtlecrypto_vs_wasm" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.reddit.com/r/cryptography/comments/1cint8h/what_are_your_thoughts_on_subtlecrypto_vs_wasm</a> ... tldr; the underlying implementation provided by the browser is the best way to go. i have implemented the <a href="https://infosec.exchange/tags/encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#encryption</a> using the <a href="https://infosec.exchange/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webcrypto</a> <a href="https://infosec.exchange/tags/api" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#api</a>. i aim to not use a library for this. i generally try to word things in a way that users can provide feedback on features. the app is still in a very early stage, but has a reasonable amount of features. im generally open to requests and questions.> minimum viable productwhat you see as the chat app is also the <a href="https://infosec.exchange/tags/minimum" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#minimum</a> <a href="https://infosec.exchange/tags/viable" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#viable</a> <a href="https://infosec.exchange/tags/product" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#product</a>. i think its sufficiently demonstrates the basic functionality of a chat app. i think the next step is to make the app more stable and user friendly.those other apps youve mentions ive come across before. what sets my approach apart is that mine it's purely a webapp. with what id like to describe as <a href="https://infosec.exchange/tags/p2p" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#p2p</a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#authentication</a> over <a href="https://infosec.exchange/tags/webrtc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webrtc</a>, im able to remove reliance on a backend for <a href="https://infosec.exchange/tags/authenticate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#authenticate</a> <a href="https://infosec.exchange/tags/data" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#data</a> <a href="https://infosec.exchange/tags/connections" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#connections</a>. in some cases, bypass the internet (wifi/hotspot). while there are several ways to <a href="https://infosec.exchange/tags/selfhost" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfhost</a>, in this approach of a <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#javascript</a> implementation, im able to store large amounts of data in the browser so things like images and <a href="https://infosec.exchange/tags/encryptionKeys" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#encryptionKeys</a> can be <a href="https://infosec.exchange/tags/selfhosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfhosted</a>" in the browser. while this form has nuanced limitations, it also has interesting implications to security and privacy.there are many nice features from the different apps you mentioned and i think i have some unique features too. the bottle neck in this project is that i dont put in enough time to the app.> feel free to slowly ibtegrate them.this is basically already my approach to get the app to where it is now.thanks for the luck, take care and i hope you stay tuned for updates.

jmsfbsGoing to try <a href="https://mastodon.social/tags/deno2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#deno2</a> out for a little util. I want to download my gmail archive, process it with <a href="https://mastodon.social/tags/duckdb" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#duckdb</a> and then store it somewhere as <a href="https://mastodon.social/tags/parquet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#parquet</a> Lots of interesting stuff in my email, links, lyrics, etc. But its also storing a lot of things I'd rather not be on the internet at all.Last time I tried out <a href="https://mastodon.social/tags/deno" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#deno</a> I really liked it but ran into API compat issues with the <a href="https://mastodon.social/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webcrypto</a> API so its been a little while since I used it last.Let's see if the marketing is legit.<a href="https://mastodon.social/tags/programming" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#programming</a> <a href="https://mastodon.social/tags/webdev" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webdev</a>

circafuturumI am going over some encryption code, namely <a href="https://gitlab.com/oncer.io/oncer.io-web/-/blob/main/src/helpers/encryption.ts?ref_type=heads#L18" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://gitlab.com/oncer.io/oncer.io-web/-/blob/main/src/helpers/encryption.ts?ref_type=heads#L18</a> and I am wondering things:should pbkdf2Iterations be bumped up from 10000?should PBKDF2 with SHA-256 for key derivation be replaced with something else?are there additional precautions that could be taken when running this in a browser? (I'm thinking something like <a href="https://engineering.fb.com/2022/03/10/security/code-verify/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://engineering.fb.com/2022/03/10/security/code-verify/</a>)happy to hear feedback! :blobhappy: <a href="https://infosec.exchange/tags/encryption" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#encryption</a> <a href="https://infosec.exchange/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webcrypto</a> <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#javascript</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a>

Mathias PanzenböckBoth web browsers (<a href="https://chaos.social/tags/DOM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DOM</a>) and <a href="https://chaos.social/tags/NodeJS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NodeJS</a> have a <a href="https://chaos.social/tags/WebCrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebCrypto</a> implementation as a global `crypto` object, but @types/node only knows `import { webcrypto } from 'node:crypto'`, so I wrote a trivial <a href="https://chaos.social/tags/npm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#npm</a> package to have access to that object in the same way in both environments: <a href="https://www.npmjs.com/package/@panzi/isomorphic-webcrypto" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.npmjs.com/package/@panzi/isomorphic-webcrypto</a> It's 1 relevant line of <a href="https://chaos.social/tags/JavaScript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#JavaScript</a> (2 more for ECMAScript module and strict mode) and 2 lines of <a href="https://chaos.social/tags/TypeScript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TypeScript</a> type declarations.

rmhrisk :verified:webcrypto.dev has everything a web developer needs for secure communication and data protection, including certificate enrollment, session encryption, message/file encryption, signing and verification and more. <a href="https://infosec.exchange/tags/typescript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#typescript</a> <a href="https://infosec.exchange/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webcrypto</a>

Matthew Miller :donor:I just published a blog post on how to use the upcoming <code>prf</code> extension in the <a href="https://infosec.exchange/tags/WebAuthn" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebAuthn</a> L3 Draft spec to properly encrypt data using a security key and the <a href="https://infosec.exchange/tags/WebCrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebCrypto</a> browser API. Here's a quick teaser:<blockquote>Imagine it: a quick tap to encrypt a super secret message, a short journey via sneakernet, then a quick tap to decrypt the message…I’m happy to report that my “crazy idea” has become a reality. And even better, it can all be done entirely in the browser 😏</blockquote>Check it out! <a href="https://blog.millerti.me/2023/01/22/encrypting-data-in-the-browser-using-webauthn/" rel="nofollow noopener noreferrer" target="_blank">https://blog.millerti.me/2023/01/22/encrypting-data-in-the-browser-using-webauthn/</a>

rugkGreat @MozDevNet work: <a href="https://social.wiuwiu.de/tags/wbamberg" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wbamberg</a> re-wrote many of the <a href="https://social.wiuwiu.de/tags/webcrypto" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WebCrypto</a> API docs! A step long needed, but you can have a look at it now, although there is still something to do! <a href="https://github.com/mdn/sprints/issues/664" rel="nofollow noopener noreferrer" target="_blank">https://github.com/mdn/sprints/issues/664</a> <a href="https://social.wiuwiu.de/tags/mdndocs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MDNDocs</a>

Recent searches

Search options

Administered by:

Server stats:

#webcrypto