GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Rich Felker (dalias@hachyderm.io)'s status on Sunday, 16-Feb-2025 22:05:51 JST Rich Felker Rich Felker

    New HTML element I just imagined: pubkey encrypted, noscript, canvas read blocking block element whose contents are shown to the user after decryption with a private key held by the browser.

    Replay attacks and other stuff like that aside, I think this would enable having at least e2ee messaging in arbitrary sites' DM systems, *without* having to trust that the site isn't going to swap in malicious site js to steal your keys or the decrypted data.

    In conversation about 3 months ago from hachyderm.io permalink
    • Embed this notice
      Wanja (muvlon@hachyderm.io)'s status on Sunday, 16-Feb-2025 22:28:27 JST Wanja Wanja
      in reply to

      @dalias Hmmm, how would you do key exchange in a way that the website can't mess with?

      In conversation about 3 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Sunday, 16-Feb-2025 22:51:57 JST Rich Felker Rich Felker
      in reply to
      • Wanja

      @muvlon Having the pubkey shown publicly in your profile where it could be verified out-of-band if desired and any tampering would be detectable.

      In conversation about 3 months ago permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Sunday, 16-Feb-2025 22:52:39 JST Rich Felker Rich Felker
      in reply to
      • webhat

      @webhat LMAO 🤡

      In conversation about 3 months ago permalink
    • Embed this notice
      webhat (webhat@infosec.exchange)'s status on Sunday, 16-Feb-2025 22:52:40 JST webhat webhat
      in reply to

      @dalias someone shared an ephemeral ee2e messaging system in JS. They were very proud of it

      I questioned the security, as it was hosted by CloudFlare and CloudFlare inserts arbitrary JS. I asked them about that, as it doesn't matter how secure the protocol is if the end is compromised. They stopped responding

      In conversation about 3 months ago permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Sunday, 16-Feb-2025 22:54:12 JST Rich Felker Rich Felker
      in reply to
      • Wanja

      @muvlon There'd also need to be an equivalent something (maybe js is allowed but no network access or communication with anything outside the encrypted block element?) on the sending side where the browser UI makes it clear that you're typing in a secure context and what key(s) it's going to be encrypted to.

      In conversation about 3 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 18-Feb-2025 05:36:45 JST Rich Felker Rich Felker
      in reply to
      • webhat

      @webhat Like WTF, why is anyone using CF anyway unless they have extreme anti-DDoS needs?

      (And even then you should be using one of the non-nazi alternatives to CF.)

      In conversation about 3 months ago permalink
    • Embed this notice
      webhat (webhat@infosec.exchange)'s status on Tuesday, 18-Feb-2025 05:36:46 JST webhat webhat
      in reply to

      @dalias found another one, a secure note keeping app, with e2e. Their privacy page says they have no external tracking. I'm sure the site believes it does. CloudFlare, however, is injecting all kinds of things.

      In conversation about 3 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 18-Feb-2025 06:05:39 JST Rich Felker Rich Felker
      in reply to
      • webhat
      • LisPi

      @lispi314 @webhat Not extensions either. They're just JS shipped by Mozilla or Google instead of by some other site. But unless you have a seriously defanged browser, Mozilla or Google basically has push access to replace the code in any extension.

      In conversation about 3 months ago permalink
    • Embed this notice
      LisPi (lispi314@udongein.xyz)'s status on Tuesday, 18-Feb-2025 06:05:40 JST LisPi LisPi
      in reply to
      • webhat
      @webhat @dalias > They stopped responding

      I don't get why they do that.

      The only plausibly secure Javascript examples I know of would be /extensions/ to the browsers, rather than anything ever received from a site.
      In conversation about 3 months ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 18-Feb-2025 06:12:31 JST Rich Felker Rich Felker
      in reply to
      • webhat
      • LisPi

      @lispi314 @webhat Well *even if you're using a fork of the browser*, often they still pull updates from the original centralized extensions repo...

      In conversation about 3 months ago permalink
    • Embed this notice
      LisPi (lispi314@udongein.xyz)'s status on Tuesday, 18-Feb-2025 06:12:32 JST LisPi LisPi
      in reply to
      • webhat
      @dalias @webhat > But unless you have a seriously defanged browser, Mozilla or Google basically has push access to replace the code in any extension.

      That is indeed another problem. Though at that point it's not "extensions are insecure" it's "the browser itself is insecure", unless specifically fixed as you allude to.
      In conversation about 3 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.