And I assume that you are going to run this on 127.0.0.1, and not bound to the 192 or the wan address.
-tim On 5/22/14, Apostolis Xekoukoulotakis <[email protected]> wrote: > Yes!! actually I'll use socket.io. > > > 2014-05-23 2:42 GMT+03:00 Tim Prepscius <[email protected]>: > >> Can you describe what you mean by: >> >> the attacker will still not have the private key since all >> cryptography happen in the nodejs of the user. >> >> It seems as though you are saying that there will be a web server >> running client side, from which the web app will make ajax calls to. >> Is this what you mean? >> >> On 5/22/14, Apostolis Xekoukoulotakis <[email protected]> wrote: >> > Thanks Felix. Your advice is sound. I am going to look at your >> references. >> > >> > So my app is indeed packaged but I don't use node-webkit. In my case, >> > if >> > the client is compromised in the browser, the attacker will still not >> have >> > the private key since all cryptography happen in the nodejs of the >> > user. >> > >> > But he would be able to ask the server to sign arbitrary documents >> > which >> is >> > still really bad. >> > On May 22, 2014 11:33 AM, "Felix Hammerl" <[email protected]> >> wrote: >> > >> >> Hi, >> >> >> >> you have to trust the server in a host-based security setting. If you >> >> want >> >> to mitigate that, have you considered packaged (not hosted!) apps? >> >> Check >> >> out Chrome Apps, Firefox Apps, node-webkit, atom-shell, ... >> >> It all boils down to what you threat model is. Also, you probably >> >> don't >> >> want to roll your own authentication mechanism. You also might want to >> >> avoid doing funky stuff with removing the script sources and loading >> them >> >> from arbitrary locations... >> >> Recommended read for js security and threat models (be sure to check >> >> out >> >> the discussion, too!): >> >> http://tankredhase.com/2014/04/13/heartbleed-and-javascript-crypto/ >> >> >> >> >> >> Cheers >> >> Felix >> >> >> >> >> >> On Wed, May 21, 2014 at 7:57 PM, Apostolis Xekoukoulotakis < >> >> [email protected]> wrote: >> >> >> >>> Hello everyone. I am thinking of using openpgp as an authentication >> >>> mechanism form my site and more. Send a random number to the client, >> the >> >>> sessionId, which he then has to sign and send back. >> >>> >> >>> I was also worried that if someone could attack my server, he could >> send >> >>> arbitrary js code to the client and thus all clients would be >> >>> compromised. >> >>> So I decided to create a nodejs app that users would have to install >> >>> locally that would provide them those js scripts. >> >>> >> >>> They would only have to contact the server for content. So now I am >> >>> worried about someone injecting js code into the content. >> >>> If I wrote a parser that removed script tags, I suppose this would be >> >>> secure, right? >> >>> >> >>> The apps goal is to let users issue new currencies, that is why is >> >>> security is very important. >> >>> >> >>> _______________________________________________ >> >>> >> >>> http://openpgpjs.org >> >>> Subscribe/unsubscribe: http://list.openpgpjs.org >> >>> >> >> >> >> >> >> _______________________________________________ >> >> >> >> http://openpgpjs.org >> >> Subscribe/unsubscribe: http://list.openpgpjs.org >> >> >> > >> _______________________________________________ >> >> http://openpgpjs.org >> Subscribe/unsubscribe: http://list.openpgpjs.org >> > > > > -- > > > Sincerely yours, > > Apostolis Xekoukoulotakis > _______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
