Thank you all for the replies. So, essentially any TW content is up for
grabs as long as the TW is loaded in the browser, whether encrypted or not.
I reckon that the stationary TW file residing on HDD somewhere is
relatively safe, if encrypted (password protected).
Again, thank you for the valuable information & technical insights.
Regards,
Hubert
On Tuesday, 3 September 2019 09:56:57 UTC+1, PMario wrote:
>
> On Monday, September 2, 2019 at 4:13:29 PM UTC+2, Hubert wrote:
> ...
>
>> However, since the html source appears to remain unchanged once
>> encryption password has been provided and tiddlers were decrypted, I can
>> only assume that all now-decrypted tiddler content has been loaded as
>> plaintext into RAM or some kind of browser storage, is this correct?
>>
>
> It is RAM. It is a structure that is called $tw.wiki .. we also call it
> "the store" or "wiki store". ... This store can be accessed with eg:
> $tw.wiki.getTiddler("HelloThere")
> The returned object is "plain text".
>
> There is no persistent browser storage involved. ... So if the TW tab is
> closed and reopened, there are no plain text artefacts on the hard drive.
>
>
>> My second question then is, how vulnerable would this content be to any
>> form of hijacking/extracting as plaintext once TiddlyWiki decryption
>> password has been provided?
>>
>
> As I wrote above. If the user has access to your browser, with decrypted
> content, it would be as easy as typing F12 which opens the developer
> terminal. Enter the string $tw.wiki.getTiddler("HelloThere") and you'll
> get some output.
>
> That's exactly the same problem, you'd have with any other software, that
> displays unencrypted content, if you have access to the terminal.
>
> It would be possible to create a TW plugin, that detects, if the TW tab is
> visible. If it is hidden, it could remove "the store" from the TW internal
> memory. ... Which doesn't mean, that the browser will forget it
> immediately. But it would make it much harder.
>
> The core encryption/decryption function is a "all or nothing" approach,
> because it is convenient. There is a plugin
> <https://tiddlywiki.com/#%22Encrypt%20single%20tiddler%20plugin%22%20by%20Danielo%20Rodriguez>,
>
> that lets you encrypt / decrypt single tiddlers.
>
> As you can see, we can do a lot with plugins. So it really depends on your
> requirements. ...
>
> Just to be sure: There are some researchers out there, that state that:
> "encryption in the browser will never be secure".
>
> have fun!
> mario
>
>
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/tiddlywiki/77038932-813e-4330-ae34-dcfc8138b188%40googlegroups.com.
