Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
clipperz: zero-knowledge web application
Search
Giulio Cesare Solaroli
January 20, 2011
Technology
1
160
clipperz: zero-knowledge web application
how JavaScript may help turning cloud privacy upside-down
Giulio Cesare Solaroli
January 20, 2011
Tweet
Share
More Decks by Giulio Cesare Solaroli
See All by Giulio Cesare Solaroli
Building Single Page Web Applications - JSDay 2013
gcsolaroli
2
1.6k
Other Decks in Technology
See All in Technology
SAE J1939シミュレーション環境構築
daikiokazaki
1
190
claude codeでPrompt Engineering
iori0311
0
530
Recoil脱却の現状と挑戦
kirik
3
460
MCPに潜むセキュリティリスクを考えてみる
milix_m
1
880
激動の時代、新卒エンジニアはAIツールにどう向き合うか。 [LayerX Bet AI Day Countdown LT Day1 ツールの選択]
tak848
0
610
なぜAI時代に 「イベント」を中心に考えるのか? / Why focus on "events" in the age of AI?
ytake
2
800
AIエージェントを支える設計
tkikuchi1002
11
2.3k
ユーザー理解の爆速化とPdMの価値
kakehashi
PRO
1
110
「AI駆動開発」のボトルネック『言語化』を効率化するには
taniiicom
1
210
Step Functions First - サーバーレスアーキテクチャの新しいパラダイム
taikis
1
280
With Devin -AIの自律とメンバーの自立
kotanin0
2
790
Tiptapで実現する堅牢で柔軟なエディター開発
kirik
1
150
Featured
See All Featured
Building Adaptive Systems
keathley
43
2.7k
The Pragmatic Product Professional
lauravandoore
35
6.8k
How GitHub (no longer) Works
holman
314
140k
Thoughts on Productivity
jonyablonski
69
4.8k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Designing Experiences People Love
moore
142
24k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
47
9.6k
Designing for Performance
lara
610
69k
Done Done
chrislema
184
16k
Fireside Chat
paigeccino
37
3.5k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1k
Code Review Best Practice
trishagee
69
19k
Transcript
zero-knowledge web application turning cloud privacy upside-down clipperz Giulio Cesare
SOLAROLI
[email protected]
jse2011 - Paris, January 20 2011 Thursday, January 20, 2011 how JavaScript may help
clipperz project Thursday, January 20, 2011
clipperz project store (and share) personal data Thursday, January 20,
2011
clipperz project store (and share) personal data •reliable Thursday, January
20, 2011
clipperz project store (and share) personal data •reliable •secure Thursday,
January 20, 2011
clipperz project store (and share) personal data •reliable •secure •convenient
Thursday, January 20, 2011
reliable Thursday, January 20, 2011
reliable the “cloud” is definitely the most reliable way to
store data Thursday, January 20, 2011
secure Thursday, January 20, 2011
secure “host proof hosting” Thursday, January 20, 2011
secure “host proof hosting” concept defined around 2005 to merge
the reliability of cloud based storage and the security achievable using cryptography Thursday, January 20, 2011
convenient Thursday, January 20, 2011
convenient since GMail, convenient means “web based” Thursday, January 20,
2011
convenient since GMail, convenient means “web based” •nothing to install
Thursday, January 20, 2011
convenient since GMail, convenient means “web based” •nothing to install
•nothing to configure Thursday, January 20, 2011
clipperz project Thursday, January 20, 2011
clipperz project Thatʼs easy Thursday, January 20, 2011
clipperz project Thatʼs easy, isnʼt it? Thursday, January 20, 2011
clipperz project Thatʼs easy almost! , isnʼt it? Thursday, January
20, 2011
clipperz project Thatʼs easy almost! the devil hides in the
details , isnʼt it? Thursday, January 20, 2011
clipperz challenges Thursday, January 20, 2011
clipperz challenges achieve convenience Thursday, January 20, 2011
clipperz challenges achieve convenience keeping the system secure Thursday, January
20, 2011
clipperz challenges achieve convenience keeping the system secure •never trade
security for convenience Thursday, January 20, 2011
clipperz challenges achieve convenience keeping the system secure •never trade
security for convenience •being paranoid “only the paranoid survive” Thursday, January 20, 2011
cryptography very short compendium Thursday, January 20, 2011
cryptography Thursday, January 20, 2011
symmetric encryption scheme cryptography Thursday, January 20, 2011
symmetric encryption scheme •message cryptography Thursday, January 20, 2011
symmetric encryption scheme •message •algorithm cryptography Thursday, January 20, 2011
symmetric encryption scheme •message •algorithm •secret key cryptography Thursday, January
20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
application anatomy Thursday, January 20, 2011
application anatomy zero-knowledge web app Thursday, January 20, 2011
application anatomy zero-knowledge web app aka host proof app Thursday,
January 20, 2011
application anatomy zero-knowledge web app aka host proof app •verifiable
codebase Thursday, January 20, 2011
application anatomy zero-knowledge web app aka host proof app •verifiable
codebase •no tampering Thursday, January 20, 2011
application anatomy zero-knowledge web app aka host proof app •verifiable
codebase •no tampering •wise password handling Thursday, January 20, 2011
verifiable codebase Thursday, January 20, 2011
verifiable codebase •all source code available for inspection https://github.com/clipperz Thursday,
January 20, 2011
verifiable codebase •all source code available for inspection https://github.com/clipperz •app
served as a single, static, HTML file Thursday, January 20, 2011
verifiable codebase •all source code available for inspection https://github.com/clipperz •app
served as a single, static, HTML file •browsers do not support checksum verification #fail Thursday, January 20, 2011
no tampering Thursday, January 20, 2011
no tampering application code should not be modifiable by any
data returned by the server Thursday, January 20, 2011
no tampering application code should not be modifiable by any
data returned by the server •javascript is very dynamic Thursday, January 20, 2011
no tampering application code should not be modifiable by any
data returned by the server •javascript is very dynamic •eval(…) is your enemy here Thursday, January 20, 2011
password handling Thursday, January 20, 2011
password handling password should never be sent to server Thursday,
January 20, 2011
password handling password should never be sent to server •SRP
authentication Thursday, January 20, 2011
password handling password should never be sent to server •SRP
authentication •only verifiers are stored and exchanged Thursday, January 20, 2011
security tradeoffs Thursday, January 20, 2011
security tradeoffs features Thursday, January 20, 2011
security tradeoffs features security Thursday, January 20, 2011
security tradeoffs features security Thursday, January 20, 2011
security tradeoffs features security Thursday, January 20, 2011
being paranoid Thursday, January 20, 2011
being paranoid clipperz does not store neither the password, Thursday,
January 20, 2011
being paranoid clipperz does not store neither the password, nor
the username Thursday, January 20, 2011
being paranoid clipperz does not store neither the password, nor
the username •users can still login! #ftw Thursday, January 20, 2011
being paranoid clipperz does not store neither the password, nor
the username •users can still login! #ftw •multiple accounts can share the same username! #wtf Thursday, January 20, 2011
features?! Thursday, January 20, 2011
features?! password manager Thursday, January 20, 2011
features?! password manager playground to test how far this architecture
could go Thursday, January 20, 2011
features?! password manager playground to test how far this architecture
could go • features Thursday, January 20, 2011
features?! password manager playground to test how far this architecture
could go • features • convenience Thursday, January 20, 2011
features?! password manager playground to test how far this architecture
could go • features • convenience • reliability Thursday, January 20, 2011
features!! Thursday, January 20, 2011
features!! direct logins Thursday, January 20, 2011
features!! direct logins one-click access to most sites #ftw Thursday,
January 20, 2011
features!! direct logins one-click access to most sites ✘ some
#cool ✓ Thursday, January 20, 2011
features!! Thursday, January 20, 2011
features!! one time password Thursday, January 20, 2011
features!! one time password access your data without typing your
password Thursday, January 20, 2011
features!! one time password access your data without typing your
password great for using clipperz from an internet caffè Thursday, January 20, 2011
features!! Thursday, January 20, 2011
features!! offline copy Thursday, January 20, 2011
features!! offline copy full application (including your own data) packed
into a single html file Thursday, January 20, 2011
features!! offline copy full application (including your own data) packed
into a single html file no external resources used Thursday, January 20, 2011
features!! Thursday, January 20, 2011
hidden features!! Thursday, January 20, 2011
hidden features!! hashcash Thursday, January 20, 2011
hidden features!! hashcash avoid bots access without bothering users with
nasty capcha puzzles Thursday, January 20, 2011
odd side effects!! Thursday, January 20, 2011
odd side effects!! no page reload Thursday, January 20, 2011
odd side effects!! no page reload otherwise credential values are
lost, and the user needs to type them in again #fail Thursday, January 20, 2011
odd side effects!! Thursday, January 20, 2011
odd side effects!! no fancy web-2.0 mash-ups Thursday, January 20,
2011
odd side effects!! no fancy web-2.0 mash-ups difficult to integrate
into other products without relaxing security concerns Thursday, January 20, 2011
odd side effects!! no fancy web-2.0 mash-ups difficult to integrate
into other products without relaxing security concerns and we are paranoid! Thursday, January 20, 2011
clipperz http://www.clipperz.com
[email protected]
THANKS Thursday, January 20, 2011