On Sunday, November 9, 2014 7:08:03 PM UTC+1, Ed Dixon wrote: > > Of course any encryption mechanism can be cracked given enough time >
That's a major topic for every encryption method. Encryption is used to protect valuable content. As long as the cost (work + resources + time) to break the encryption, is much much higher than the cost to get the information over a different channel, we can say the encryption works. As soon, as "a different channel" is much cheaper, it doesn't make sense to hack the encryption. So imo at the moment the best way to break TWs encryption, is to attack the workflow. eg: The node js version uses plain text passwords on the command line level. So every one, who has access to your computer just needs to do type history | grep tiddlywiki to get what's needed. You may say: "Me not using unix" . I may say: "That doesn't matter". Windows forgets the session history... but since that's super boring, there is a good chance that some additional software is installed at a power users PC, that persists command line session histories. .. So its an easy task so search for those profiles. .... there is a good chance, they are not protected very well ... and so on, and so on. > but, are there any known means to defeat our encryption as is > TW uses the: Stanford Javascript Crypto Library That's what they say: http://bitwiseshiftleft.github.io/sjcl/ Quote: (Unforunately, this is not as great as in desktop applications because it > is not feasible to completely protect against code injection, malicious > servers and side-channel attacks.) > The important part here is: "code injections". ... IMO TiddlyWiki has a big attack vector here, with TW plugins. Plugins can be easily installed using drag and drop. So If I would want to attack your TW, I'd create a useful plugin that contains some additional functions + a little trojan, that is very well hidden. > or with the added functionality to encrypt individual tiddlers as provided > by Danielo's plugin? What I am working towards relies on this functionality > to be rock solid? > So imo "rock solid" at the moment is defined by your "code review" workflow and by your users workflow. If the users aren't aware of the rock solid workflow, it's cheaper and saver, not using encryption at all :) Since encryption may give your users the feeling of security. But there is no security if they are sloppy. have fun! mario -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
