Thanks Felix. Your advice is sound. I am going to look at your references. So my app is indeed packaged but I don't use node-webkit. In my case, if the client is compromised in the browser, the attacker will still not have the private key since all cryptography happen in the nodejs of the user.
But he would be able to ask the server to sign arbitrary documents which is still really bad. On May 22, 2014 11:33 AM, "Felix Hammerl" <[email protected]> wrote: > Hi, > > you have to trust the server in a host-based security setting. If you want > to mitigate that, have you considered packaged (not hosted!) apps? Check > out Chrome Apps, Firefox Apps, node-webkit, atom-shell, ... > It all boils down to what you threat model is. Also, you probably don't > want to roll your own authentication mechanism. You also might want to > avoid doing funky stuff with removing the script sources and loading them > from arbitrary locations... > Recommended read for js security and threat models (be sure to check out > the discussion, too!): > http://tankredhase.com/2014/04/13/heartbleed-and-javascript-crypto/ > > > Cheers > Felix > > > On Wed, May 21, 2014 at 7:57 PM, Apostolis Xekoukoulotakis < > [email protected]> wrote: > >> Hello everyone. I am thinking of using openpgp as an authentication >> mechanism form my site and more. Send a random number to the client, the >> sessionId, which he then has to sign and send back. >> >> I was also worried that if someone could attack my server, he could send >> arbitrary js code to the client and thus all clients would be compromised. >> So I decided to create a nodejs app that users would have to install >> locally that would provide them those js scripts. >> >> They would only have to contact the server for content. So now I am >> worried about someone injecting js code into the content. >> If I wrote a parser that removed script tags, I suppose this would be >> secure, right? >> >> The apps goal is to let users issue new currencies, that is why is >> security is very important. >> >> _______________________________________________ >> >> http://openpgpjs.org >> Subscribe/unsubscribe: http://list.openpgpjs.org >> > > > _______________________________________________ > > http://openpgpjs.org > Subscribe/unsubscribe: http://list.openpgpjs.org >
_______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
