Hubert,
But to be clear this is the truth of any content you give to someone on the
internet. Its just tiddlywiki loads its whole self into the browser (thus
giving us all its interactive features). Individual encrypted tiddlers are
possible but they could take the tiddler and brute force it. You can
guarantee they can't save changes back to the server, you can stop access
to the wiki in the first place, with server based security and you can
protect yourself when passing users id, password and save keys with https.
Noteself adds a layer where you also need the database credentials.
Regards
Tony
On Wednesday, September 4, 2019 at 3:53:32 AM UTC+10, Hubert wrote:
>
> Thank you all for the replies. So, essentially any TW content is up for
> grabs as long as the TW is loaded in the browser, whether encrypted or not.
> I reckon that the stationary TW file residing on HDD somewhere is
> relatively safe, if encrypted (password protected).
>
> Again, thank you for the valuable information & technical insights.
>
> Regards,
> Hubert
>
> On Tuesday, 3 September 2019 09:56:57 UTC+1, PMario wrote:
>>
>> On Monday, September 2, 2019 at 4:13:29 PM UTC+2, Hubert wrote:
>> ...
>>
>>> However, since the html source appears to remain unchanged once
>>> encryption password has been provided and tiddlers were decrypted, I can
>>> only assume that all now-decrypted tiddler content has been loaded as
>>> plaintext into RAM or some kind of browser storage, is this correct?
>>>
>>
>> It is RAM. It is a structure that is called $tw.wiki .. we also call it
>> "the store" or "wiki store". ... This store can be accessed with eg:
>> $tw.wiki.getTiddler("HelloThere")
>> The returned object is "plain text".
>>
>> There is no persistent browser storage involved. ... So if the TW tab is
>> closed and reopened, there are no plain text artefacts on the hard drive.
>>
>>
>>> My second question then is, how vulnerable would this content be to any
>>> form of hijacking/extracting as plaintext once TiddlyWiki decryption
>>> password has been provided?
>>>
>>
>> As I wrote above. If the user has access to your browser, with decrypted
>> content, it would be as easy as typing F12 which opens the developer
>> terminal. Enter the string $tw.wiki.getTiddler("HelloThere") and you'll
>> get some output.
>>
>> That's exactly the same problem, you'd have with any other software, that
>> displays unencrypted content, if you have access to the terminal.
>>
>> It would be possible to create a TW plugin, that detects, if the TW tab
>> is visible. If it is hidden, it could remove "the store" from the TW
>> internal memory. ... Which doesn't mean, that the browser will forget it
>> immediately. But it would make it much harder.
>>
>> The core encryption/decryption function is a "all or nothing" approach,
>> because it is convenient. There is a plugin
>> <https://tiddlywiki.com/#%22Encrypt%20single%20tiddler%20plugin%22%20by%20Danielo%20Rodriguez>,
>>
>> that lets you encrypt / decrypt single tiddlers.
>>
>> As you can see, we can do a lot with plugins. So it really depends on
>> your requirements. ...
>>
>> Just to be sure: There are some researchers out there, that state that:
>> "encryption in the browser will never be secure".
>>
>> have fun!
>> mario
>>
>>
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/tiddlywiki/ff086888-3bba-43a1-b618-46bedd02b4ac%40googlegroups.com.
