Open ghost opened 8 years ago
max-mapper
commented
8 years ago @cathalgarvey +1, only downside is that MiniLock doesn't have a well maintained library version. All the code is buried in the original google chrome app codebase in a relatively difficult to use format. However, this version might end up being usable: https://github.com/mjethani/miniLock-cli/issues/1
ghost
commented
8 years ago I also wrote a Go implementation which can be transpiled to a JS library with gopherjs. I have been meaning to implement a nice streaming API but the existing one ought to be sufficient if loading contents into RAM is acceptable.
My implementation is missing passphrase entropy estimation however, which is a critical part of ensuring security of deterministic keys (because guessing your key is easy for an attacker, mitigated only by scrypt and entropy estimation). I'd love to add this feature, but possibly a shim and some gopherjs bindings to the zxcvbn library would see this feature enabled in JS if not in Golang.
On 2 November 2015 10:33:17 GMT-08:00, maxogden notifications@github.com wrote:
@cathalgarvey +1, only downside is that MiniLock doesn't have a well maintained library version. All the code is buried in the original google chrome app codebase in a relatively difficult to use format. However, this version might end up being usable: https://github.com/mjethani/miniLock-cli/issues/1
Reply to this email directly or view it on GitHub: https://github.com/moose-team/friends/issues/145#issuecomment-153118070
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hi folks,
This app looks amazing, I only discovered it today. :)
However, the deal-breaker for me is the absence of privacy. This could be fixed easily enough, especially considering you're based on JS: Just use miniLock!
miniLock is a high-level, well-abstracted encryption system designed for messaging and file encryption. The standard implementation is written entirely in JS already. It uses deterministic key generation using email addresses as unique but nonprivate salts and a passphrase that's validated for security using zxcvbn.
The cryptosystem created for miniLock uses NaCl (Networking and Cryptography Library) primitives, but constructs them in such a way that:
Using this for encryption of both messages and files would provide authentication, privacy, and could help obscure the identities of people in a conversation. Detaching the file header for larger files or posts opens the possibility of storing immutable large files on a DHT and sending only updated headers to include new messaging participants. Storing local mappings of friends to keys is trivial because of the key size and simplicity. Sender, Recipient and message integrity auhentication gets baked in without needing signature schemes or MACs.
I feel that privacy is the huge missing piece in Friends, and would love to see it happen. Minilock is JS, Free/Libre, and lots of people may already have miniLock IDs they can port directly to Friends if able.