Yes!! actually I'll use socket.io.
2014-05-23 2:42 GMT+03:00 Tim Prepscius <[email protected]>: > Can you describe what you mean by: > > the attacker will still not have the private key since all > cryptography happen in the nodejs of the user. > > It seems as though you are saying that there will be a web server > running client side, from which the web app will make ajax calls to. > Is this what you mean? > > On 5/22/14, Apostolis Xekoukoulotakis <[email protected]> wrote: > > Thanks Felix. Your advice is sound. I am going to look at your > references. > > > > So my app is indeed packaged but I don't use node-webkit. In my case, if > > the client is compromised in the browser, the attacker will still not > have > > the private key since all cryptography happen in the nodejs of the user. > > > > But he would be able to ask the server to sign arbitrary documents which > is > > still really bad. > > On May 22, 2014 11:33 AM, "Felix Hammerl" <[email protected]> > wrote: > > > >> Hi, > >> > >> you have to trust the server in a host-based security setting. If you > >> want > >> to mitigate that, have you considered packaged (not hosted!) apps? Check > >> out Chrome Apps, Firefox Apps, node-webkit, atom-shell, ... > >> It all boils down to what you threat model is. Also, you probably don't > >> want to roll your own authentication mechanism. You also might want to > >> avoid doing funky stuff with removing the script sources and loading > them > >> from arbitrary locations... > >> Recommended read for js security and threat models (be sure to check out > >> the discussion, too!): > >> http://tankredhase.com/2014/04/13/heartbleed-and-javascript-crypto/ > >> > >> > >> Cheers > >> Felix > >> > >> > >> On Wed, May 21, 2014 at 7:57 PM, Apostolis Xekoukoulotakis < > >> [email protected]> wrote: > >> > >>> Hello everyone. I am thinking of using openpgp as an authentication > >>> mechanism form my site and more. Send a random number to the client, > the > >>> sessionId, which he then has to sign and send back. > >>> > >>> I was also worried that if someone could attack my server, he could > send > >>> arbitrary js code to the client and thus all clients would be > >>> compromised. > >>> So I decided to create a nodejs app that users would have to install > >>> locally that would provide them those js scripts. > >>> > >>> They would only have to contact the server for content. So now I am > >>> worried about someone injecting js code into the content. > >>> If I wrote a parser that removed script tags, I suppose this would be > >>> secure, right? > >>> > >>> The apps goal is to let users issue new currencies, that is why is > >>> security is very important. > >>> > >>> _______________________________________________ > >>> > >>> http://openpgpjs.org > >>> Subscribe/unsubscribe: http://list.openpgpjs.org > >>> > >> > >> > >> _______________________________________________ > >> > >> http://openpgpjs.org > >> Subscribe/unsubscribe: http://list.openpgpjs.org > >> > > > _______________________________________________ > > http://openpgpjs.org > Subscribe/unsubscribe: http://list.openpgpjs.org > -- Sincerely yours, Apostolis Xekoukoulotakis
_______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
