Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Look into possibility of using crypton.io for encryption #14

Open
cooperq opened this issue Mar 29, 2014 · 3 comments
Open

Look into possibility of using crypton.io for encryption #14

cooperq opened this issue Mar 29, 2014 · 3 comments

Comments

@cooperq
Copy link
Member

cooperq commented Mar 29, 2014

No description provided.

@JohnMcLear
Copy link

I work w/ the S/O team on their phonegap app. I will bump my contacts there about the potential of using crypton.io but just from their own Docs page https://crypton.io/docs/.

"There is a problem with doing cryptography in a web browser, where an end user cannot (or will not) verify the entirety of code sent to them upon loading a page - a service operator can therefore inject malicious code into a previously verified page. Because of this, we can only recommend Crypton for use in packaged applications, such as with Cordova or node-webkit. For more information, see our security model."

So it doesn't look like this really solves your problem.

Also if you are passing encrypted data, you WILL need to decrypt it to perform the OT's. So your best bet is SSL between client -> server then salting/hashing data stored in the database. Imho if someone can access your database you have already been hugely compromised..

Step #1 Should be easy ability for people to enable SSL on deployments.

@devgeeks
Copy link

+1 to what @JohnMcLear says above.

Also, Crypton is really for implementing apps using it as the primary backend, not for attaching to an existing app. If you really do want to go ahead with in-browser encryption despite its flaws (but to send to your own backend), I would suggest something like https://github.com/dchest/tweetnacl-js

@cooperq
Copy link
Member Author

cooperq commented Feb 7, 2015

I am aware of the issues with in browser encryption. And while there are some security wins by using a browser extension for example I still think that having some level of security (i.e. browser encryption) is better than none at all. My ideal way that this would work is for each client to get an encrypted blob, decrypt it in the browser, send encrypted change packets to eachother and do the OT on the client side.

There probably needs to be some POC work done in client encrypted collaborative editing systems, because AFAIK there are none out there right now. It might be best to start with something simpler than ethersheet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cooperq @JohnMcLear @devgeeks