Upgrade to Pro — share decks privately, control downloads, hide ads and more …

clipperz: zero-knowledge web application

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Giulio Cesare Solaroli Giulio Cesare Solaroli
January 20, 2011
Technology
1
170

clipperz: zero-knowledge web application

how JavaScript may help turning cloud privacy upside-down

Avatar for Giulio Cesare Solaroli

Giulio Cesare Solaroli

January 20, 2011
Tweet

More Decks by Giulio Cesare Solaroli

See All by Giulio Cesare Solaroli
Building Single Page Web Applications - JSDay 2013
Avatar for Giulio Cesare Solaroli gcsolaroli
2
1.6k

Other Decks in Technology

See All in Technology
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
Avatar for kekke-n kekke_n
1
360
【5分でわかる】セーフィー エンジニア向け会社紹介
Avatar for Safie safie_recruit
0
42k
Bedrock PolicyでAmazon Bedrock Guardrails利用を強制してみた
Avatar for Yudai Jinno yuu551
0
140
顧客の言葉を、そのまま信じない勇気
Avatar for yamatai12 yamatai1212
1
340
2026年、サーバーレスの現在地 -「制約と戦う技術」から「当たり前の実行基盤」へ- /serverless2026
Avatar for Serverless Operations slsops
2
210
今日から始める Amazon Bedrock AgentCore
Avatar for Har1101 har1101
4
400
茨城の思い出を振り返る ~CDKのセキュリティを添えて~ / 20260201 Mitsutoshi Matsuo
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
190
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
Avatar for みのるん minorun365
3
150
20260204_Midosuji_Tech
Avatar for Takuya Yonezawa takuyay0ne
0
120
GitLab Duo Agent Platform × AGENTS.md で実現するSpec-Driven Development / GitLab Duo Agent Platform × AGENTS.md
Avatar for Niishi Kubo n11sh1
0
120
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
2
600
SREのプラクティスを用いた3領域同時 マネジメントへの挑戦 〜SRE・情シス・セキュリティを統合した チーム運営術〜
Avatar for coconala_engineer coconala_engineer
2
600

Featured

See All Featured
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
1
54
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
Avatar for Akihiro Kokubo akihiro_kokubo
PRO
66
36k
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
1
1.4k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
71k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
410
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
80
6.1k
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
110
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
174
15k
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
580
Sam Torres - BigQuery for SEOs
Avatar for Tech SEO Connect techseoconnect
PRO
0
180
How to audit for AI Accessibility on your Front & Back End
Avatar for davetheseo davetheseo
0
180
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
331
21k

Transcript

  1. zero-knowledge web application turning cloud privacy upside-down clipperz Giulio Cesare

    SOLAROLI [email protected] jse2011 - Paris, January 20 2011 Thursday, January 20, 2011 how JavaScript may help

  2. clipperz project Thursday, January 20, 2011

  3. clipperz project store (and share) personal data Thursday, January 20,

    2011

  4. clipperz project store (and share) personal data •reliable Thursday, January

    20, 2011

  5. clipperz project store (and share) personal data •reliable •secure Thursday,

    January 20, 2011

  6. clipperz project store (and share) personal data •reliable •secure •convenient

    Thursday, January 20, 2011

  7. reliable Thursday, January 20, 2011

  8. reliable the “cloud” is definitely the most reliable way to

    store data Thursday, January 20, 2011

  9. secure Thursday, January 20, 2011

  10. secure “host proof hosting” Thursday, January 20, 2011

  11. secure “host proof hosting” concept defined around 2005 to merge

    the reliability of cloud based storage and the security achievable using cryptography Thursday, January 20, 2011

  12. convenient Thursday, January 20, 2011

  13. convenient since GMail, convenient means “web based” Thursday, January 20,

    2011

  14. convenient since GMail, convenient means “web based” •nothing to install

    Thursday, January 20, 2011

  15. convenient since GMail, convenient means “web based” •nothing to install

    •nothing to configure Thursday, January 20, 2011

  16. clipperz project Thursday, January 20, 2011

  17. clipperz project Thatʼs easy Thursday, January 20, 2011

  18. clipperz project Thatʼs easy, isnʼt it? Thursday, January 20, 2011

  19. clipperz project Thatʼs easy almost! , isnʼt it? Thursday, January

    20, 2011

  20. clipperz project Thatʼs easy almost! the devil hides in the

    details , isnʼt it? Thursday, January 20, 2011

  21. clipperz challenges Thursday, January 20, 2011

  22. clipperz challenges achieve convenience Thursday, January 20, 2011

  23. clipperz challenges achieve convenience keeping the system secure Thursday, January

    20, 2011

  24. clipperz challenges achieve convenience keeping the system secure •never trade

    security for convenience Thursday, January 20, 2011

  25. clipperz challenges achieve convenience keeping the system secure •never trade

    security for convenience •being paranoid “only the paranoid survive” Thursday, January 20, 2011

  26. cryptography very short compendium Thursday, January 20, 2011

  27. cryptography Thursday, January 20, 2011

  28. symmetric encryption scheme cryptography Thursday, January 20, 2011

  29. symmetric encryption scheme •message cryptography Thursday, January 20, 2011

  30. symmetric encryption scheme •message •algorithm cryptography Thursday, January 20, 2011

  31. symmetric encryption scheme •message •algorithm •secret key cryptography Thursday, January

    20, 2011

  32. cryptography symmetric encryption Thursday, January 20, 2011

  33. cryptography symmetric encryption Thursday, January 20, 2011

  34. cryptography symmetric encryption Thursday, January 20, 2011

  35. cryptography symmetric encryption Thursday, January 20, 2011

  36. cryptography symmetric encryption Thursday, January 20, 2011

  37. cryptography symmetric encryption Thursday, January 20, 2011

  38. cryptography symmetric encryption Thursday, January 20, 2011

  39. cryptography symmetric encryption Thursday, January 20, 2011

  40. cryptography symmetric encryption Thursday, January 20, 2011

  41. application anatomy Thursday, January 20, 2011

  42. application anatomy zero-knowledge web app Thursday, January 20, 2011

  43. application anatomy zero-knowledge web app aka host proof app Thursday,

    January 20, 2011

  44. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase Thursday, January 20, 2011

  45. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase •no tampering Thursday, January 20, 2011

  46. application anatomy zero-knowledge web app aka host proof app •verifiable

    codebase •no tampering •wise password handling Thursday, January 20, 2011

  47. verifiable codebase Thursday, January 20, 2011

  48. verifiable codebase •all source code available for inspection https://github.com/clipperz Thursday,

    January 20, 2011

  49. verifiable codebase •all source code available for inspection https://github.com/clipperz •app

    served as a single, static, HTML file Thursday, January 20, 2011

  50. verifiable codebase •all source code available for inspection https://github.com/clipperz •app

    served as a single, static, HTML file •browsers do not support checksum verification #fail Thursday, January 20, 2011

  51. no tampering Thursday, January 20, 2011

  52. no tampering application code should not be modifiable by any

    data returned by the server Thursday, January 20, 2011

  53. no tampering application code should not be modifiable by any

    data returned by the server •javascript is very dynamic Thursday, January 20, 2011

  54. no tampering application code should not be modifiable by any

    data returned by the server •javascript is very dynamic •eval(…) is your enemy here Thursday, January 20, 2011

  55. password handling Thursday, January 20, 2011

  56. password handling password should never be sent to server Thursday,

    January 20, 2011

  57. password handling password should never be sent to server •SRP

    authentication Thursday, January 20, 2011

  58. password handling password should never be sent to server •SRP

    authentication •only verifiers are stored and exchanged Thursday, January 20, 2011

  59. security tradeoffs Thursday, January 20, 2011

  60. security tradeoffs features Thursday, January 20, 2011

  61. security tradeoffs features security Thursday, January 20, 2011

  62. security tradeoffs features security Thursday, January 20, 2011

  63. security tradeoffs features security Thursday, January 20, 2011

  64. being paranoid Thursday, January 20, 2011

  65. being paranoid clipperz does not store neither the password, Thursday,

    January 20, 2011

  66. being paranoid clipperz does not store neither the password, nor

    the username Thursday, January 20, 2011

  67. being paranoid clipperz does not store neither the password, nor

    the username •users can still login! #ftw Thursday, January 20, 2011

  68. being paranoid clipperz does not store neither the password, nor

    the username •users can still login! #ftw •multiple accounts can share the same username! #wtf Thursday, January 20, 2011

  69. features?! Thursday, January 20, 2011

  70. features?! password manager Thursday, January 20, 2011

  71. features?! password manager playground to test how far this architecture

    could go Thursday, January 20, 2011

  72. features?! password manager playground to test how far this architecture

    could go • features Thursday, January 20, 2011

  73. features?! password manager playground to test how far this architecture

    could go • features • convenience Thursday, January 20, 2011

  74. features?! password manager playground to test how far this architecture

    could go • features • convenience • reliability Thursday, January 20, 2011

  75. features!! Thursday, January 20, 2011

  76. features!! direct logins Thursday, January 20, 2011

  77. features!! direct logins one-click access to most sites #ftw Thursday,

    January 20, 2011

  78. features!! direct logins one-click access to most sites ✘ some

    #cool ✓ Thursday, January 20, 2011

  79. features!! Thursday, January 20, 2011

  80. features!! one time password Thursday, January 20, 2011

  81. features!! one time password access your data without typing your

    password Thursday, January 20, 2011

  82. features!! one time password access your data without typing your

    password great for using clipperz from an internet caffè Thursday, January 20, 2011

  83. features!! Thursday, January 20, 2011

  84. features!! offline copy Thursday, January 20, 2011

  85. features!! offline copy full application (including your own data) packed

    into a single html file Thursday, January 20, 2011

  86. features!! offline copy full application (including your own data) packed

    into a single html file no external resources used Thursday, January 20, 2011

  87. features!! Thursday, January 20, 2011

  88. hidden features!! Thursday, January 20, 2011

  89. hidden features!! hashcash Thursday, January 20, 2011

  90. hidden features!! hashcash avoid bots access without bothering users with

    nasty capcha puzzles Thursday, January 20, 2011

  91. odd side effects!! Thursday, January 20, 2011

  92. odd side effects!! no page reload Thursday, January 20, 2011

  93. odd side effects!! no page reload otherwise credential values are

    lost, and the user needs to type them in again #fail Thursday, January 20, 2011

  94. odd side effects!! Thursday, January 20, 2011

  95. odd side effects!! no fancy web-2.0 mash-ups Thursday, January 20,

    2011

  96. odd side effects!! no fancy web-2.0 mash-ups difficult to integrate

    into other products without relaxing security concerns Thursday, January 20, 2011

  97. odd side effects!! no fancy web-2.0 mash-ups difficult to integrate

    into other products without relaxing security concerns and we are paranoid! Thursday, January 20, 2011

  98. clipperz http://www.clipperz.com [email protected] THANKS Thursday, January 20, 2011