The decryption only takes place in your browser unless you save it unencrypted.
But of course Since tiddlywiki is "just a html" file you can use any other means to control access to that file you can use on any other platform. Of course security is a many tentacled thing, but with server security + encryption I believe they must compromise your browser to achieve anything. The first things to consider are; - What are you hosting it on? - Who and how people access it? - Can you use https? If its only you, you can make it as secure as almost anything on the net. As soon as someone or every one has unfettered access they can see what they can see. Thus it may be worth using one wiki to generate another public wiki. Regards Tony On Tuesday, September 3, 2019 at 12:31:56 AM UTC+10, Dragon Cotterill wrote: > > However, since the html source appears to remain unchanged once encryption >> password has been provided and tiddlers were decrypted, I can only assume >> that all now-decrypted tiddler content has been loaded as plaintext into >> RAM or some kind of browser storage, is this correct? >> > The encrypted contents are "unlocked" when the password is supplied. As I > understand it, this is done when the contents are displayed in the River, > when on the screen. The original tiddler is still encrypted. So if you save > the TW then the contents are saved in an encrypted format. (NB. I've not > actually checked the various encryption plugins other than a cursory > glance.) > > >> My second question then is, how vulnerable would this content be to any >> form of hijacking/extracting as plaintext once TiddlyWiki decryption >> password has been provided? >> > Once the password has supplied then the whole thing is wide open anyway. > Sneaky javascript added to any plugin can grab said contents and offload it > to wherever necessary. > > If you are looking for a fully encrypted and locked system, then I'm > afraid TW is not it. You'd need proper signing of all the included contents > to really make it secure, and even then you still couldn't guarantee it. At > best I consider TW encryption as a way of preventing casual viewing of the > entries. It is possible to create a "brute force" plugin which can sit and > attack any given tiddler once loaded up in the browser. It might take a > while, but if you feed it something like "rockyou" then you pretty much hit > the majority of passwords. > > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/79bd0e55-1547-42be-9d20-c3b88d0985c6%40googlegroups.com.
