#decrypted — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #decrypted, aggregated by home.social.
-
id like to share some details about how my app works so you can discover/give me feedback on my app. id like to have wording in my app to say something like "most secure chat app in the world"... i probably cant do that because it doesnt qualify.
https://github.com/positive-intentions/chat
https://positive-intentions.com/blog/introducing-decentralized-chat
im not an expert on #cyberSecurity. im sure there are many gaps in my knowlege in this domain.
using #javascript, i initially created a fairly basic #chatApp using using #peerjs to create #encrypted #webrtc #connections. this was then easily enhanced by exchanging additional #encryption #keys from #cryptography functions built into browsers (#webcrypto api) to add a redundent layer of encryption. a #diffieHelman key #exchange is done over #webrtc (which can be considered #secure when exchanged over public channels) to create #serverless #p2p #authentication.
- i sometimes recieve feedback like "javascript is inherently insecure". i disagree with this and have #openedSource my #cryptography module. its basically a thin wrapper around vanilla cryptography functions of a #browser (webcrypto api).
- another concern for my kind of app (#PWA) is that the developer may introduce malicious code. this is an important point for which i open sourced the project and give instructions for #selfhosting. selhosting this app has some unique features. unlike many other #selfhosted #projects, this app can be hosted on #githubPages (instructions are provided in the readme). im also working towards having better support for running the index.html directly without a static server.
- to prevent things like browser extensions, the app uses strict #CSP headers to prevent #unauthorised code from running. #selfhosting users should take note of this when setting up their own instance.
- i received feedback the #Signal/#Simplex protocol is great. completely undertsandable and agree, but wonder if im reducing the #complexity by working with #webrtc. while it has its many flaws, i think risks can be reasonable mitigated if the #cryptography functions are implemented correctly. (all data out is #encrypted and all data in is #decrypted on-the-fly)
- the key detail that makes this approach unique, is because as a #webapp, unlike other solutions, users have a choice of using any #device/#os/#browser. while a webapp can have nuanced #vulnerabilities, i think by #openSourcing and providing instructions for #selfhosting and instructions to #build for various #platforms, it can provide a reasonable level of #security.
i think if i stick to the principle of avoiding using any kind of "required" service provider (myself included) and allowing the #frontend and the peerjs-server to be #hosted #independently, im on track for creating a #chatSystem with the "fewest moving parts". i hope you will agree this is true #p2p and i hope i can use this as a step towards true #privacy and #security. #security might be further improved by using a trusted #VPN.
while there are several similar apps out there like mine. i think mine is distinctly a different approach. so its hard to find #bestPractices for the functionalities i want to achieve. in particular #security practices to use when using #p2p technology.
(note: this app is an #unstable, #experiment, #proofOfConcept and not ready to replace any other app or service. It's far from finished and provided for #testing and #demo purposes only. This post is to get #feedback on the progress to determine if i'm going in the right direction for a secure chat app)
-
Woke up to some interesting news today. It would appear that the #HiveRansomware Gang has been taken down. https://www.scmagazine.com/analysis/ransomware/notice-on-hive-ransomware-site-claims-seizure-by-fbi-europol?external_id=HBwZ-n4B490LDY0Z-dKj&external_id_source=mrkto&mkt_tok=MTg4LVVOWi02NjAAAAGJjgDjxI7Quxnvn1dDKVtkFHU7zdk93j0TL7ocD2SwuAAcr1k2YbWxSGv7tfEHn6GOvCcebcAwc3X5co3AlFFNixo9Hty9BWX4VsvTCEiG_Q
I checked around some #DarkWeb forums, and it would appear this actually happened in a joint, international effort. The #USDOJ claims to have "hacked the hackers", took down their #TOR site, and have apparently #decrypted 1500 companies. If it sticks, this is a big win for the #GoodGuys. Bye bye #Hive!
-
Decrypted: How bad was the US Capitol breach for cybersecurity? - It’s the image that’s been seen around the world. One of hundreds of pro-Trump supporters in the pri... - http://feedproxy.google.com/~r/Techcrunch/~3/FbSe1Yp562A/ #nationalsecurity #datasecurity #government #solarwinds #decrypted #security #fireeye #policy