Upgrade to Pro — share decks privately, control downloads, hide ads and more …

clipperz: zero-knowledge web application

Giulio Cesare Solaroli
January 20, 2011
Technology
1
160

clipperz: zero-knowledge web application

how JavaScript may help turning cloud privacy upside-down

Giulio Cesare Solaroli

January 20, 2011
Tweet

More Decks by Giulio Cesare Solaroli

See All by Giulio Cesare Solaroli
Building Single Page Web Applications - JSDay 2013
gcsolaroli
2
1.6k

Other Decks in Technology

See All in Technology
Enterprise AI in 2025?
pamelafox
0
130
問題解決に役立つ数理工学
recruitengineers
PRO
8
2.4k
AIエージェントキャッチアップと論文リサーチ
os1ma
6
1.3k
AI・LLM事業部のSREとタスクの自動運転
shinyorke
PRO
0
320
滑らかなユーザー体験も目指す注文管理のマイクロサービス化〜注文情報CSVダウンロード機能の事例〜
demaecan
0
120
ウェブアクセシビリティとは
lycorptech_jp
PRO
0
340
ウォンテッドリーにおける Platform Engineering
bgpat
0
160
OPENLOGI Company Profile for engineer
hr01
1
23k
OPENLOGI Company Profile
hr01
0
62k
アプリケーション固有の「ロジックの脆弱性」を防ぐ開発者のためのセキュリティ観点
flatt_security
39
15k
Lightdashの利活用状況 ー導入から2年経った現在地_20250409
hirokiigeta
0
200
Amazon EKS Auto ModeでKubernetesの運用をシンプルにする
sshota0809
0
130

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.4k
It's Worth the Effort
3n
184
28k
The Cult of Friendly URLs
andyhume
78
6.3k
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k
Faster Mobile Websites
deanohume
306
31k
KATA
mclloyd
29
14k
Making the Leap to Tech Lead
cromwellryan
133
9.2k
Speed Design
sergeychernyshev
28
870
What's in a price? How to price your products and services
michaelherold
245
12k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k

Transcript

  1. zero-knowledge web application turning cloud privacy upside-down clipperz Giulio Cesare

    SOLAROLI giulio.cesare@clipperz.com jse2011 - Paris, January 20 2011 Thursday, January 20, 2011 how JavaScript may help

  2. clipperz project Thursday, January 20, 2011

  3. clipperz project store (and share) personal data Thursday, January 20,

    2011

  4. clipperz project store (and share) personal data •reliable Thursday, January

    20, 2011

  5. clipperz project store (and share) personal data •reliable •secure Thursday,

    January 20, 2011

  6. clipperz project store (and share) personal data •reliable •secure •convenient

    Thursday, January 20, 2011

  7. reliable Thursday, January 20, 2011

  8. reliable the “cloud” is definitely the most reliable way to

    store data Thursday, January 20, 2011

  9. secure Thursday, January 20, 2011

  10. secure “host proof hosting” Thursday, January 20, 2011

  11. secure “host proof hosting” concept defined around 2005 to merge

    the reliability of cloud based storage and the security achievable using cryptography Thursday, January 20, 2011

  12. convenient Thursday, January 20, 2011

  13. convenient since GMail, convenient means “web based” Thursday, January 20,

    2011

  14. convenient since GMail, convenient means “web based” •nothing to install

    Thursday, January 20, 2011

  15. convenient since GMail, convenient means “web based” •nothing to install

    •nothing to configure Thursday, January 20, 2011

  16. clipperz project Thursday, January 20, 2011

  17. clipperz project Thatʼs easy Thursday, January 20, 2011

  18. clipperz project Thatʼs easy, isnʼt it? Thursday, January 20, 2011

  19. clipperz project Thatʼs easy almost! , isnʼt it? Thursday, January

    20, 2011

  20. clipperz project Thatʼs easy almost! the devil hides in the

    details , isnʼt it? Thursday, January 20, 2011

  21. clipperz challenges Thursday, January 20, 2011

  22. clipperz challenges achieve convenience Thursday, January 20, 2011

  23. clipperz challenges achieve convenience keeping the system secure Thursday, January

    20, 2011

  24. clipperz challenges achieve convenience keeping the system secure •never trade

    security for convenience Thursday, January 20, 2011

  25. clipperz challenges achieve convenience keeping the system secure •never trade

    security for convenience •being paranoid “only the paranoid survive” Thursday, January 20, 2011

  26. cryptography very short compendium Thursday, January 20, 2011

  27. cryptography Thursday, January 20, 2011

  28. symmetric encryption scheme cryptography Thursday, January 20, 2011

  29. symmetric encryption scheme •message cryptography Thursday, January 20, 2011

  30. symmetric encryption scheme •message •algorithm cryptography Thursday, January 20, 2011

  31. symmetric encryption scheme •message •algorithm •secret key cryptography Thursday, January

    20, 2011

  32. cryptography symmetric encryption Thursday, January 20, 2011

  33. cryptography symmetric encryption Thursday, January 20, 2011

  34. cryptography symmetric encryption Thursday, January 20, 2011

  35. cryptography symmetric encryption Thursday, January 20, 2011

  36. cryptography symmetric encryption Thursday, January 20, 2011

  37. cryptography symmetric encryption Thursday, January 20, 2011

  38. cryptography symmetric encryption Thursday, January 20, 2011

  39. cryptography symmetric encryption Thursday, January 20, 2011

  40. cryptography symmetric encryption Thursday, January 20, 2011

  41. application anatomy Thursday, January 20, 2011

  42. application anatomy zero-knowledge web app Thursday, January 20, 2011

  43. application anatomy zero-knowledge web app aka host proof app Thursday,

    January 20, 2011

  44. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase Thursday, January 20, 2011

  45. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase •no tampering Thursday, January 20, 2011

  46. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase •no tampering •wise password handling Thursday, January 20, 2011

  47. verifiable codebase Thursday, January 20, 2011

  48. verifiable codebase •all source code available for inspection https://github.com/clipperz Thursday,

    January 20, 2011

  49. verifiable codebase •all source code available for inspection https://github.com/clipperz •app

    served as a single, static, HTML file Thursday, January 20, 2011

  50. verifiable codebase •all source code available for inspection https://github.com/clipperz •app

    served as a single, static, HTML file •browsers do not support checksum verification #fail Thursday, January 20, 2011

  51. no tampering Thursday, January 20, 2011

  52. no tampering application code should not be modifiable by any

    data returned by the server Thursday, January 20, 2011

  53. no tampering application code should not be modifiable by any

    data returned by the server •javascript is very dynamic Thursday, January 20, 2011

  54. no tampering application code should not be modifiable by any

    data returned by the server •javascript is very dynamic •eval(…) is your enemy here Thursday, January 20, 2011

  55. password handling Thursday, January 20, 2011

  56. password handling password should never be sent to server Thursday,

    January 20, 2011

  57. password handling password should never be sent to server •SRP

    authentication Thursday, January 20, 2011

  58. password handling password should never be sent to server •SRP

    authentication •only verifiers are stored and exchanged Thursday, January 20, 2011

  59. security tradeoffs Thursday, January 20, 2011

  60. security tradeoffs features Thursday, January 20, 2011

  61. security tradeoffs features security Thursday, January 20, 2011

  62. security tradeoffs features security Thursday, January 20, 2011

  63. security tradeoffs features security Thursday, January 20, 2011

  64. being paranoid Thursday, January 20, 2011

  65. being paranoid clipperz does not store neither the password, Thursday,

    January 20, 2011

  66. being paranoid clipperz does not store neither the password, nor

    the username Thursday, January 20, 2011

  67. being paranoid clipperz does not store neither the password, nor

    the username •users can still login! #ftw Thursday, January 20, 2011

  68. being paranoid clipperz does not store neither the password, nor

    the username •users can still login! #ftw •multiple accounts can share the same username! #wtf Thursday, January 20, 2011

  69. features?! Thursday, January 20, 2011

  70. features?! password manager Thursday, January 20, 2011

  71. features?! password manager playground to test how far this architecture

    could go Thursday, January 20, 2011

  72. features?! password manager playground to test how far this architecture

    could go • features Thursday, January 20, 2011

  73. features?! password manager playground to test how far this architecture

    could go • features • convenience Thursday, January 20, 2011

  74. features?! password manager playground to test how far this architecture

    could go • features • convenience • reliability Thursday, January 20, 2011

  75. features!! Thursday, January 20, 2011

  76. features!! direct logins Thursday, January 20, 2011

  77. features!! direct logins one-click access to most sites #ftw Thursday,

    January 20, 2011

  78. features!! direct logins one-click access to most sites ✘ some

    #cool ✓ Thursday, January 20, 2011

  79. features!! Thursday, January 20, 2011

  80. features!! one time password Thursday, January 20, 2011

  81. features!! one time password access your data without typing your

    password Thursday, January 20, 2011

  82. features!! one time password access your data without typing your

    password great for using clipperz from an internet caffè Thursday, January 20, 2011

  83. features!! Thursday, January 20, 2011

  84. features!! offline copy Thursday, January 20, 2011

  85. features!! offline copy full application (including your own data) packed

    into a single html file Thursday, January 20, 2011

  86. features!! offline copy full application (including your own data) packed

    into a single html file no external resources used Thursday, January 20, 2011

  87. features!! Thursday, January 20, 2011

  88. hidden features!! Thursday, January 20, 2011

  89. hidden features!! hashcash Thursday, January 20, 2011

  90. hidden features!! hashcash avoid bots access without bothering users with

    nasty capcha puzzles Thursday, January 20, 2011

  91. odd side effects!! Thursday, January 20, 2011

  92. odd side effects!! no page reload Thursday, January 20, 2011

  93. odd side effects!! no page reload otherwise credential values are

    lost, and the user needs to type them in again #fail Thursday, January 20, 2011

  94. odd side effects!! Thursday, January 20, 2011

  95. odd side effects!! no fancy web-2.0 mash-ups Thursday, January 20,

    2011

  96. odd side effects!! no fancy web-2.0 mash-ups difficult to integrate

    into other products without relaxing security concerns Thursday, January 20, 2011

  97. odd side effects!! no fancy web-2.0 mash-ups difficult to integrate

    into other products without relaxing security concerns and we are paranoid! Thursday, January 20, 2011

  98. clipperz http://www.clipperz.com giulio.cesare@clipperz.com THANKS Thursday, January 20, 2011