search

ethersheet-collective / EtherSheet

Online spreadsheet collaboration in real time using node.js. Similar to etherpad-lite but its a spreadsheet!
https://ethersheet.org
BSD 2-Clause "Simplified" License
198 stars 24 forks source link

Look into possibility of using crypton.io for encryption #14

Open cooperq opened 10 years ago

JohnMcLear commented 9 years ago

I work w/ the S/O team on their phonegap app. I will bump my contacts there about the potential of using crypton.io but just from their own Docs page https://crypton.io/docs/.

"There is a problem with doing cryptography in a web browser, where an end user cannot (or will not) verify the entirety of code sent to them upon loading a page - a service operator can therefore inject malicious code into a previously verified page. Because of this, we can only recommend Crypton for use in packaged applications, such as with Cordova or node-webkit. For more information, see our security model."

So it doesn't look like this really solves your problem.

Also if you are passing encrypted data, you WILL need to decrypt it to perform the OT's. So your best bet is SSL between client -> server then salting/hashing data stored in the database. Imho if someone can access your database you have already been hugely compromised..

Step #1 Should be easy ability for people to enable SSL on deployments.

devgeeks commented 9 years ago

+1 to what @JohnMcLear says above.

Also, Crypton is really for implementing apps using it as the primary backend, not for attaching to an existing app. If you really do want to go ahead with in-browser encryption despite its flaws (but to send to your own backend), I would suggest something like https://github.com/dchest/tweetnacl-js

cooperq commented 9 years ago

I am aware of the issues with in browser encryption. And while there are some security wins by using a browser extension for example I still think that having some level of security (i.e. browser encryption) is better than none at all. My ideal way that this would work is for each client to get an encrypted blob, decrypt it in the browser, send encrypted change packets to eachother and do the OT on the client side.

There probably needs to be some POC work done in client encrypted collaborative editing systems, because AFAIK there are none out there right now. It might be best to start with something simpler than ethersheet.