Thanks Mario! I have been holding my breath on this one. I had forgotten but did look into the Stanford Javascript Crypto Library weeks ago and did decided it was sufficient for the task planned. When I saw this post the concern was more about backdoors or other designed mechanisms to allow access if the password was forgotten. Your points regarding plain text, code injection, ease of dropping a trojan using drag and drop functionality, and code review are well thought out and expertly explained. You obviously have some experience working with computer security. I have a current security+ certification but doubt if I had researched all this myself and worked with TW for much longer, I would have done as good a job providing this explanation.
I have assumed that Danielo's code also uses makes use of the library, while we are on the subject do you know if this is the case? Thanks, On Mon, Nov 10, 2014 at 5:11 AM, PMario <[email protected]> wrote: > On Sunday, November 9, 2014 7:08:03 PM UTC+1, Ed Dixon wrote: >> >> Of course any encryption mechanism can be cracked given enough time >> > > That's a major topic for every encryption method. Encryption is used to > protect valuable content. > As long as the cost (work + resources + time) to break the encryption, is > much much higher than the cost to get the information over a different > channel, we can say the encryption works. > > As soon, as "a different channel" is much cheaper, it doesn't make sense > to hack the encryption. > > So imo at the moment the best way to break TWs encryption, is to attack > the workflow. > eg: The node js version uses plain text passwords on the command line > level. So every one, who has access to your computer just needs to do type > > history | grep tiddlywiki > > to get what's needed. You may say: "Me not using unix" . I may say: "That > doesn't matter". Windows forgets the session history... but since that's > super boring, there is a good chance that some additional software is > installed at a power users PC, that persists command line session > histories. .. So its an easy task so search for those profiles. .... there > is a good chance, they are not protected very well ... > > and so on, and so on. > > >> but, are there any known means to defeat our encryption as is >> > > TW uses the: Stanford Javascript Crypto Library > That's what they say: http://bitwiseshiftleft.github.io/sjcl/ > > Quote: > > (Unforunately, this is not as great as in desktop applications because it >> is not feasible to completely protect against code injection, malicious >> servers and side-channel attacks.) >> > > The important part here is: "code injections". ... IMO TiddlyWiki has a > big attack vector here, with TW plugins. > Plugins can be easily installed using drag and drop. > So If I would want to attack your TW, I'd create a useful plugin that > contains some additional functions + a little trojan, that is very well > hidden. > > >> or with the added functionality to encrypt individual tiddlers as >> provided by Danielo's plugin? What I am working towards relies on this >> functionality to be rock solid? >> > > So imo "rock solid" at the moment is defined by your "code review" > workflow and by your users workflow. > If the users aren't aware of the rock solid workflow, it's cheaper and > saver, not using encryption at all :) > Since encryption may give your users the feeling of security. But there is > no security if they are sloppy. > > have fun! > mario > > -- > You received this message because you are subscribed to a topic in the > Google Groups "TiddlyWiki" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/tiddlywiki/mbP52rti9RU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/tiddlywiki. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/tiddlywiki. For more options, visit https://groups.google.com/d/optout.
