On Monday, September 2, 2019 at 4:13:29 PM UTC+2, Hubert wrote:
...
> However, since the html source appears to remain unchanged once encryption
> password has been provided and tiddlers were decrypted, I can only assume
> that all now-decrypted tiddler content has been loaded as plaintext into
> RAM or some kind of browser storage, is this correct?
>
It is RAM. It is a structure that is called $tw.wiki .. we also call it
"the store" or "wiki store". ... This store can be accessed with eg:
$tw.wiki.getTiddler("HelloThere")
The returned object is "plain text".
There is no persistent browser storage involved. ... So if the TW tab is
closed and reopened, there are no plain text artefacts on the hard drive.
> My second question then is, how vulnerable would this content be to any
> form of hijacking/extracting as plaintext once TiddlyWiki decryption
> password has been provided?
>
As I wrote above. If the user has access to your browser, with decrypted
content, it would be as easy as typing F12 which opens the developer
terminal. Enter the string $tw.wiki.getTiddler("HelloThere") and you'll get
some output.
That's exactly the same problem, you'd have with any other software, that
displays unencrypted content, if you have access to the terminal.
It would be possible to create a TW plugin, that detects, if the TW tab is
visible. If it is hidden, it could remove "the store" from the TW internal
memory. ... Which doesn't mean, that the browser will forget it
immediately. But it would make it much harder.
The core encryption/decryption function is a "all or nothing" approach,
because it is convenient. There is a plugin
<https://tiddlywiki.com/#%22Encrypt%20single%20tiddler%20plugin%22%20by%20Danielo%20Rodriguez>,
that lets you encrypt / decrypt single tiddlers.
As you can see, we can do a lot with plugins. So it really depends on your
requirements. ...
Just to be sure: There are some researchers out there, that state that:
"encryption in the browser will never be secure".
have fun!
mario
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/tiddlywiki/d39b038f-7ad8-4e4f-a61a-c89a09a89650%40googlegroups.com.
