Upgrade to Pro — share decks privately, control downloads, hide ads and more …

clipperz: zero-knowledge web application

Giulio Cesare Solaroli
January 20, 2011
Technology
1
160

clipperz: zero-knowledge web application

how JavaScript may help turning cloud privacy upside-down

Giulio Cesare Solaroli

January 20, 2011
Tweet

More Decks by Giulio Cesare Solaroli

See All by Giulio Cesare Solaroli
Building Single Page Web Applications - JSDay 2013
gcsolaroli
2
1.6k

Other Decks in Technology

See All in Technology
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
340
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.8k
Chasing the White Whale of Open Source - ROI
mrbobbytables
0
120
静的解析で実現した効率的なi18n対応の仕組みづくり
minako__ph
2
890
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
29
13k
SSMRunbook作成の勘所_20241120
koichiotomo
3
180
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.8k
Engineer Career Talk
lycorp_recruit_jp
0
200
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
1
240
Mastering Quickfix
daisuzu
1
350
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950

Featured

See All Featured
Facilitating Awesome Meetings
lara
50
6.1k
The Language of Interfaces
destraynor
154
24k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Faster Mobile Websites
deanohume
305
30k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
For a Future-Friendly Web
brad_frost
175
9.4k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Ruby is Unlike a Banana
tanoku
97
11k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k

Transcript

  1. zero-knowledge web application turning cloud privacy upside-down clipperz Giulio Cesare

    SOLAROLI [email protected] jse2011 - Paris, January 20 2011 Thursday, January 20, 2011 how JavaScript may help

  2. clipperz project Thursday, January 20, 2011

  3. clipperz project store (and share) personal data Thursday, January 20,

    2011

  4. clipperz project store (and share) personal data •reliable Thursday, January

    20, 2011

  5. clipperz project store (and share) personal data •reliable •secure Thursday,

    January 20, 2011

  6. clipperz project store (and share) personal data •reliable •secure •convenient

    Thursday, January 20, 2011

  7. reliable Thursday, January 20, 2011

  8. reliable the “cloud” is definitely the most reliable way to

    store data Thursday, January 20, 2011

  9. secure Thursday, January 20, 2011

  10. secure “host proof hosting” Thursday, January 20, 2011

  11. secure “host proof hosting” concept defined around 2005 to merge

    the reliability of cloud based storage and the security achievable using cryptography Thursday, January 20, 2011

  12. convenient Thursday, January 20, 2011

  13. convenient since GMail, convenient means “web based” Thursday, January 20,

    2011

  14. convenient since GMail, convenient means “web based” •nothing to install

    Thursday, January 20, 2011

  15. convenient since GMail, convenient means “web based” •nothing to install

    •nothing to configure Thursday, January 20, 2011

  16. clipperz project Thursday, January 20, 2011

  17. clipperz project Thatʼs easy Thursday, January 20, 2011

  18. clipperz project Thatʼs easy, isnʼt it? Thursday, January 20, 2011

  19. clipperz project Thatʼs easy almost! , isnʼt it? Thursday, January

    20, 2011

  20. clipperz project Thatʼs easy almost! the devil hides in the

    details , isnʼt it? Thursday, January 20, 2011

  21. clipperz challenges Thursday, January 20, 2011

  22. clipperz challenges achieve convenience Thursday, January 20, 2011

  23. clipperz challenges achieve convenience keeping the system secure Thursday, January

    20, 2011

  24. clipperz challenges achieve convenience keeping the system secure •never trade

    security for convenience Thursday, January 20, 2011

  25. clipperz challenges achieve convenience keeping the system secure •never trade

    security for convenience •being paranoid “only the paranoid survive” Thursday, January 20, 2011

  26. cryptography very short compendium Thursday, January 20, 2011

  27. cryptography Thursday, January 20, 2011

  28. symmetric encryption scheme cryptography Thursday, January 20, 2011

  29. symmetric encryption scheme •message cryptography Thursday, January 20, 2011

  30. symmetric encryption scheme •message •algorithm cryptography Thursday, January 20, 2011

  31. symmetric encryption scheme •message •algorithm •secret key cryptography Thursday, January

    20, 2011

  32. cryptography symmetric encryption Thursday, January 20, 2011

  33. cryptography symmetric encryption Thursday, January 20, 2011

  34. cryptography symmetric encryption Thursday, January 20, 2011

  35. cryptography symmetric encryption Thursday, January 20, 2011

  36. cryptography symmetric encryption Thursday, January 20, 2011

  37. cryptography symmetric encryption Thursday, January 20, 2011

  38. cryptography symmetric encryption Thursday, January 20, 2011

  39. cryptography symmetric encryption Thursday, January 20, 2011

  40. cryptography symmetric encryption Thursday, January 20, 2011

  41. application anatomy Thursday, January 20, 2011

  42. application anatomy zero-knowledge web app Thursday, January 20, 2011

  43. application anatomy zero-knowledge web app aka host proof app Thursday,

    January 20, 2011

  44. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase Thursday, January 20, 2011

  45. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase •no tampering Thursday, January 20, 2011

  46. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase •no tampering •wise password handling Thursday, January 20, 2011

  47. verifiable codebase Thursday, January 20, 2011

  48. verifiable codebase •all source code available for inspection https://github.com/clipperz Thursday,

    January 20, 2011

  49. verifiable codebase •all source code available for inspection https://github.com/clipperz •app

    served as a single, static, HTML file Thursday, January 20, 2011

  50. verifiable codebase •all source code available for inspection https://github.com/clipperz •app

    served as a single, static, HTML file •browsers do not support checksum verification #fail Thursday, January 20, 2011

  51. no tampering Thursday, January 20, 2011

  52. no tampering application code should not be modifiable by any

    data returned by the server Thursday, January 20, 2011

  53. no tampering application code should not be modifiable by any

    data returned by the server •javascript is very dynamic Thursday, January 20, 2011

  54. no tampering application code should not be modifiable by any

    data returned by the server •javascript is very dynamic •eval(…) is your enemy here Thursday, January 20, 2011

  55. password handling Thursday, January 20, 2011

  56. password handling password should never be sent to server Thursday,

    January 20, 2011

  57. password handling password should never be sent to server •SRP

    authentication Thursday, January 20, 2011

  58. password handling password should never be sent to server •SRP

    authentication •only verifiers are stored and exchanged Thursday, January 20, 2011

  59. security tradeoffs Thursday, January 20, 2011

  60. security tradeoffs features Thursday, January 20, 2011

  61. security tradeoffs features security Thursday, January 20, 2011

  62. security tradeoffs features security Thursday, January 20, 2011

  63. security tradeoffs features security Thursday, January 20, 2011

  64. being paranoid Thursday, January 20, 2011

  65. being paranoid clipperz does not store neither the password, Thursday,

    January 20, 2011

  66. being paranoid clipperz does not store neither the password, nor

    the username Thursday, January 20, 2011

  67. being paranoid clipperz does not store neither the password, nor

    the username •users can still login! #ftw Thursday, January 20, 2011

  68. being paranoid clipperz does not store neither the password, nor

    the username •users can still login! #ftw •multiple accounts can share the same username! #wtf Thursday, January 20, 2011

  69. features?! Thursday, January 20, 2011

  70. features?! password manager Thursday, January 20, 2011

  71. features?! password manager playground to test how far this architecture

    could go Thursday, January 20, 2011

  72. features?! password manager playground to test how far this architecture

    could go • features Thursday, January 20, 2011

  73. features?! password manager playground to test how far this architecture

    could go • features • convenience Thursday, January 20, 2011

  74. features?! password manager playground to test how far this architecture

    could go • features • convenience • reliability Thursday, January 20, 2011

  75. features!! Thursday, January 20, 2011

  76. features!! direct logins Thursday, January 20, 2011

  77. features!! direct logins one-click access to most sites #ftw Thursday,

    January 20, 2011

  78. features!! direct logins one-click access to most sites ✘ some

    #cool ✓ Thursday, January 20, 2011

  79. features!! Thursday, January 20, 2011

  80. features!! one time password Thursday, January 20, 2011

  81. features!! one time password access your data without typing your

    password Thursday, January 20, 2011

  82. features!! one time password access your data without typing your

    password great for using clipperz from an internet caffè Thursday, January 20, 2011

  83. features!! Thursday, January 20, 2011

  84. features!! offline copy Thursday, January 20, 2011

  85. features!! offline copy full application (including your own data) packed

    into a single html file Thursday, January 20, 2011

  86. features!! offline copy full application (including your own data) packed

    into a single html file no external resources used Thursday, January 20, 2011

  87. features!! Thursday, January 20, 2011

  88. hidden features!! Thursday, January 20, 2011

  89. hidden features!! hashcash Thursday, January 20, 2011

  90. hidden features!! hashcash avoid bots access without bothering users with

    nasty capcha puzzles Thursday, January 20, 2011

  91. odd side effects!! Thursday, January 20, 2011

  92. odd side effects!! no page reload Thursday, January 20, 2011

  93. odd side effects!! no page reload otherwise credential values are

    lost, and the user needs to type them in again #fail Thursday, January 20, 2011

  94. odd side effects!! Thursday, January 20, 2011

  95. odd side effects!! no fancy web-2.0 mash-ups Thursday, January 20,

    2011

  96. odd side effects!! no fancy web-2.0 mash-ups difficult to integrate

    into other products without relaxing security concerns Thursday, January 20, 2011

  97. odd side effects!! no fancy web-2.0 mash-ups difficult to integrate

    into other products without relaxing security concerns and we are paranoid! Thursday, January 20, 2011

  98. clipperz http://www.clipperz.com [email protected] THANKS Thursday, January 20, 2011