Open IzzySoft opened 6 years ago
OldSparkyMI
commented
6 years ago Point: cosmetical: when editing a field, the box has two buttons "cancel" and "open" – the latter one is confusing, and should rather be along the lines of "accept"/"OK"
will be handled in issue https://github.com/OldSparkyMI/aRevelation/issues/6
OldSparkyMI
commented
6 years ago Hello @IzzySoft,
many thanks for you interest and your effort in this project. This is a great idea and some day I will implement it, but for now, my target is feature completeness and bug flawlessly. The project contains a "TODO.md" with some needed improvements, and two bugs, one of them is security relevant. After reaching this goal, I like to modernize the desktop revelation application (https://revelation.olasagasti.info, https://github.com/mikelolasagasti/revelation). For further use, we urgently need a port to PyGObject, more info here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790601
Can you work with the current state a little bit longer?
Best Regards @OldSparkyMI
IzzySoft
commented
6 years ago @OldSparkyMI Sure I can! That's why I mentioned bot bullet-point (the first one would be obsolete if the second, larger change would be made – so I fully agree to your "split": As I intended, the "cosmetical fix" is rather easy implemented and released while the longer job on the second, bigger one is processed).
My heart made a little jump reading the second part of your comment (hence the "party emo"): As the desktop application seems abandoned, I was already considering a switch to something else (e.g. I just found a light-weight KeePass Android client, and KeePass is even cross-platform). You just gave me a reason to stay (a bit longer) with Revelation – other than the laziness for a switch :wink:
So :+1: for all of your efforts – and it looks like you can count on my "critics" a bit longer. You already did a great job on the Android app – which now not only looks fresher, but got some long needed additional functionality! Enthusiatically looking into future development now :innocent:
IzzySoft
commented
4 years ago Just wondering: are you still working on this project? And are your plans for the desktop version still "alive"?
OldSparkyMI
commented
4 years ago Just wondering: are you still working on this project? And are your plans for the desktop version still "alive"?
Hello IzzaSoft,
good that you still out there! The plan move slightly in a different direction. Currently I work on wRevelation (https://github.com/OldSparkyMI/wRevelation) where you can look into your Revelation files directly from the browser. You can try it out here: https://oldsparkymi.github.io/wRevelation/ It's an Angular SPA (Single Page Application) so no server is needed, everything is done in the browser - just Javascript. You can even build it yourself very easily. I already did the huge part. Now I have to integrate the PWA (Progressive Web Apps) stuff from Angular, so that an easy Desktop and Web and Android and iOS can be generated. One to rule them all!
So please tell me, what do you think?
IzzySoft
commented
4 years ago Good to see you still alive and kicking :smiley:
TBH, I'm no friend of those JS "native" applications (at least it's not nodeJS) – and I definitely would not want to use a password manager inside a browser (security risk), especially not Chrome (privacy risk added). And I'd never use a password manager that connects to Google (ouch, ouch: can't you use local fonts?). Apart from that, I cannot even try it out: "Native File System API not available" :cry:
I prefer real native applications (ie those native to my system, like ELF binaries for Linux) – a browser is for showing web PAGES (which seem to die out), not for running applications. And for me, a password manager should not even have a chance to connect to any network: the one who knows the key should not "reach out" – and the one who syncs should not know the key.
I've no idea what dependencies those SPAs do have; would they require some browser being available? Would it want some "chrome tabs" on Android?
Guess I'd rather give your pyRevelation a try, once the native Revelation client is no longer available (Mint 20 / Ubuntu 20.04 have dropped it), but it seems you gave up on that one.
Apologies if this sounds like a rant, it's not meant that way – it's just what I think (which you asked for). Wish I could have given you a more enthusiastic response…
OldSparkyMI
commented
3 years ago Hello IzzySoft,
sorry, I was very busy and lazy at once, so I needed awhile to reply to you. Thank you for your honesty, I really appreciate it! You don't have to use a browser to view those kind of apps at least not on your mobile phone.
I prefer real native applications
Can you tell me the differences between the Javascript WebKit interpreter and the Python framework. Why is python acceptable and Javascript not? I understand that you don't want to use Google Chrome or something else but there are many secure browsers out there and I am pretty sure you're ware of this. In most modern browser I recommend to enable the incognito mode so the side effects/attacks will be decreased.
a browser is for showing web PAGES (which seem to die out), not for running applications
Back in the 90s they where there to show only webpages, now they involved to a well implemented and known and documented and widely use framework. I am pretty sure, WebKit is one of the most used application world wide.
And for me, a password manager should not even have a chance to connect to any network: the one who knows the key should not "reach out" – and the one who syncs should not know the key.
In the very near future (in the next commits), the application is ONCE downloaded to you computer - the whole application and then its ready to use, so you can use it offline! Yes! There is no need for an internet connection, read more here: https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Offline_Service_workers How do you prevent python to access the internet? On Chromium/Opera/Chrome you can put the application in offline mode, so there is no change to transmit any data (don't forget to use incognito mode to prevent plugins from running or Sandbox your browser or ...). In my opinion: a Web-Application can safely be executed, like your python program, but a Web-Application can be accessed from almost everywhere and from every device and is mostly already installed!
Guess I'd rather give your pyRevelation a try, once the native Revelation client is no longer available (Mint 20 / Ubuntu 20.04 have dropped it), but it seems you gave up on that one.
Currently right now yes - I switched priorities.
Apologies if this sounds like a rant, it's not meant that way – it's just what I think (which you asked for). Wish I could have given you a more enthusiastic response…
Be honest! Like I said, I really appreciate it - its your opinion and there is still some free speak left out there ;)
P.S.: About the fonts - I will provide the fonts directly from the application, it is on my list. P.S.: About the missing "Native File System API" means, that the application can't directly write back to the file you provided via "open file", so you always have to download a new one.
IzzySoft
commented
3 years ago sorry, I was very busy and lazy at once, so I needed awhile to reply to you.
Thanks! I already was afraid I'd have offended…
Can you tell me the differences between the Javascript WebKit interpreter and the Python framework. Why is python acceptable and Javascript not? I understand that you don't want to use Google Chrome or something else but there are many secure browsers out there and I am pretty sure you're ware of this.
I cannot really dive into the technical differences between Python and NodeJS/Angular – just that NodeJS is a nightmare to me (and apologies for putting that into the same box – I know it's not the same, but don't know where to draw the line here). And as soon as something runs in a browser, numbers of security risks increase. Sure one could also access the network from Python – but the dependencies NodeJS introduces (again, not sure about Angular) make this rather the rule than the exception.
In most modern browser I recommend to enable the incognito mode so the side effects/attacks will be decreased.
Well… Why increase them in the first place? :wink: Browsers of today are rather operating systems of their own. To a degree I have to trust them. But the chances of some JavaScript running in another tab getting access to my "private tab" are much higher than that they get access to something not running in the browser at all. Running stuff in a browser makes it more exposed. That risk might be acceptable for many things – but not for e.g. banking passwords.
How do you prevent python to access the internet? On Chromium/Opera/Chrome you can put the application in offline mode, so there is no change to transmit any data (don't forget to use incognito mode to prevent plugins from running or Sandbox your browser or ...).
Well, a separate application can be sandboxed. Apart from that, I'd trust you to be honest – so I wouldn't feel forced to take extra precautions if it runs stand-alone.
Yes, I can put my browser into offline mode – but a) that would mean my other tabs are offline, too – and b) at one point I'd have to put it online again. I then might have closed the tab with the password manager, or forget to do so – but can you tell for sure what might remain in localStorage etc? So we're back to "that other site's JavaScript". I trust your code – but not necessarily theirs :wink:
TL;DR: if it comes as a stand-alone AppImage, I'd be willing to compromise on my PC. But if you look at file sizes, in my experience that's the dead for low-end devices: those JS apps usually are way bigger than their "native" counterparts. I see that with Android apps, there it's usually a factor of around 10 in size.
Be honest! Like I said, I really appreciate it - its your opinion and there is still some free speak left out there ;)
:smiley: Thanks!
OldSparkyMI
commented
3 years ago Hello @IzzySoft,
nice to hear from you again! Your opinion is always welcome, you are more or less my first supporter!
And as soon as something runs in a browser, numbers of security risks increase.
I won't sign that, because it mostly depend on the browser and the used library behind it. There are many lightweight and secure browsers out there which fulfill the need to browse through many of the current webpages - but not all. If you only consider the major browsers and all of there functionality I can't argue with you - you will win!
Sure one could also access the network from Python – but the dependencies NodeJS introduces (again, not sure about Angular) make this rather the rule than the exception.
I am not sure if Angular is better then NodeJS regarding to the dependency hell. I created a new Angular app, just fyi:
added 1493 packages from 1217 contributors and audited 1498 packages in 21.02s
I really hope that the most of this dependencies are well tested. Angular exists since four years for now and many people work with it. It's very common in the industry and really widely used. If there is something strange with the code - someone will notice. If you follow the news about important JS libraries you see that this happens.
Well… Why increase them in the first place?
? To make life easier? To support my laziness? To reduce the recurring tasks? Buying stuff with one click only works with data behind it.
To a degree I have to trust them. But the chances of some JavaScript running in another tab getting access to my "private tab" are much higher than that they get access to something not running in the browser at all.
I am not familiar how this is precisely implemented but in almost all modern browsers every tab is a forked process, so inter tab communication is almost impossible - but lets assume there is a security hole which allows you to access the memory of another browser tab. This security hole won't work on every browser (most likely) so better you find a hole for the major browsers like Chrome, FF, Edge or Safari because they are used by almost all users (Note: ignore IoT device browsers here (e.g. Smart TVs, Tablet for kids, many cheep smartphones (e.g. for kids)) because nobody does internet banking over it - hopefully ^^) If you find a hole in the major browser then you are one of the smartest guys on earth - you should get a mediale and you earn every penny you steal - but this is very unlikely and the effort to do it for a less developed and less used browsers makes no sense in my opinion. So easiest way is to hijack a JS library / plugin or fake a website or or or but finding a exploitable bug in one of the current major browsers isn't a simple job. I don't see this as a security risk - use e.g. only one tab or Progress Web Application (PWA). If I would like to steal data I would use the spectre attack or something like this. Private computer are to different so the effort is really high, I would try to hijack the cloud to access data but that's another story.
Yes, I can put my browser into offline mode – but a) that would mean my other tabs are offline, too – and b) at one point I'd have to put it online again.
a) no - of course not! Every tab is one process and the rules in the console only applies to the connected tab. b) why should you to this? Download the application once, put the tab in offline mode, it works - I promise. But better use the PWA installation, then you have a dedicated sandbox. Open https://oldsparkymi.github.io/wRevelation/ and click on "install" or "add to home screen" and try it out.
I then might have closed the tab with the password manager, or forget to do so – but can you tell for sure what might remain in localStorage etc? So we're back to "that other site's JavaScript". I trust your code – but not necessarily theirs :wink: ... But if you look at file sizes, in my experience that's the dead for low-end devices: those JS apps usually are way bigger than their "native" counterparts. I see that with Android apps, there it's usually a factor of around 10 in size.
Can't argue here, you are right! But you need a security hole to access the localStorage from another tab ...
I have to go now, have a nice day and thank you very much for your option.
I'm glad editing is finally possible (and Revelation able to open edited files), but it might need some polish: