Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
clipperz: zero-knowledge web application
Search
Giulio Cesare Solaroli
January 20, 2011
Technology
1
160
clipperz: zero-knowledge web application
how JavaScript may help turning cloud privacy upside-down
Giulio Cesare Solaroli
January 20, 2011
Tweet
Share
More Decks by Giulio Cesare Solaroli
See All by Giulio Cesare Solaroli
Building Single Page Web Applications - JSDay 2013
gcsolaroli
2
1.5k
Other Decks in Technology
See All in Technology
Cloudflare WorkersがPythonに対応したので試してみた
miura55
0
190
DevRelによる信頼構築とデータ駆動で変わるエンジニア採用 / DevRel Trust Building to Data Driven Engineering Hiring
bobtani
1
120
成長をサポートするピープルマネジメントのやり方
sioncojp
9
1.5k
試作とデモンストレーション / Prototyping and Demonstrations
ks91
PRO
0
150
本当のガバクラ基礎
toru_kubota
0
300
自らを知り外と繋がる、日経のエンジニア採用とDevRel活動/devreljp92
nishiuma
2
210
日本が誇るイタリアのダンスミュージック!? ユーロビートって何??
minorun365
PRO
1
130
能動学習のいろは:書籍「Human-in-the-Loop機械学習」3〜5章
hiroyoshiito
0
290
Domain-driven Design: A Complete Example
ewolff
2
230
M5stackで使用できるpHセンサの開発
shinrinakamura
1
300
OPENLOGI Company Profile
hr01
0
45k
iThome2024 Wailing Wall of Enterprise Security
notsurprised
0
270
Featured
See All Featured
Navigating Team Friction
lara
179
13k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
23
1.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
14
8.4k
It's Worth the Effort
3n
180
27k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
34
6.1k
How to train your dragon (web standard)
notwaldorf
75
5.2k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
The Brand Is Dead. Long Live the Brand.
mthomps
49
30k
Side Projects
sachag
451
41k
Become a Pro
speakerdeck
PRO
13
4.6k
Making Projects Easy
brettharned
109
5.5k
Transcript
zero-knowledge web application turning cloud privacy upside-down clipperz Giulio Cesare
SOLAROLI
[email protected]
jse2011 - Paris, January 20 2011 Thursday, January 20, 2011 how JavaScript may help
clipperz project Thursday, January 20, 2011
clipperz project store (and share) personal data Thursday, January 20,
2011
clipperz project store (and share) personal data •reliable Thursday, January
20, 2011
clipperz project store (and share) personal data •reliable •secure Thursday,
January 20, 2011
clipperz project store (and share) personal data •reliable •secure •convenient
Thursday, January 20, 2011
reliable Thursday, January 20, 2011
reliable the “cloud” is definitely the most reliable way to
store data Thursday, January 20, 2011
secure Thursday, January 20, 2011
secure “host proof hosting” Thursday, January 20, 2011
secure “host proof hosting” concept defined around 2005 to merge
the reliability of cloud based storage and the security achievable using cryptography Thursday, January 20, 2011
convenient Thursday, January 20, 2011
convenient since GMail, convenient means “web based” Thursday, January 20,
2011
convenient since GMail, convenient means “web based” •nothing to install
Thursday, January 20, 2011
convenient since GMail, convenient means “web based” •nothing to install
•nothing to configure Thursday, January 20, 2011
clipperz project Thursday, January 20, 2011
clipperz project Thatʼs easy Thursday, January 20, 2011
clipperz project Thatʼs easy, isnʼt it? Thursday, January 20, 2011
clipperz project Thatʼs easy almost! , isnʼt it? Thursday, January
20, 2011
clipperz project Thatʼs easy almost! the devil hides in the
details , isnʼt it? Thursday, January 20, 2011
clipperz challenges Thursday, January 20, 2011
clipperz challenges achieve convenience Thursday, January 20, 2011
clipperz challenges achieve convenience keeping the system secure Thursday, January
20, 2011
clipperz challenges achieve convenience keeping the system secure •never trade
security for convenience Thursday, January 20, 2011
clipperz challenges achieve convenience keeping the system secure •never trade
security for convenience •being paranoid “only the paranoid survive” Thursday, January 20, 2011
cryptography very short compendium Thursday, January 20, 2011
cryptography Thursday, January 20, 2011
symmetric encryption scheme cryptography Thursday, January 20, 2011
symmetric encryption scheme •message cryptography Thursday, January 20, 2011
symmetric encryption scheme •message •algorithm cryptography Thursday, January 20, 2011
symmetric encryption scheme •message •algorithm •secret key cryptography Thursday, January
20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
cryptography symmetric encryption Thursday, January 20, 2011
application anatomy Thursday, January 20, 2011
application anatomy zero-knowledge web app Thursday, January 20, 2011
application anatomy zero-knowledge web app aka host proof app Thursday,
January 20, 2011
application anatomy zero-knowledge web app aka host proof app •verifiable
codebase Thursday, January 20, 2011
application anatomy zero-knowledge web app aka host proof app •verifiable
codebase •no tampering Thursday, January 20, 2011
application anatomy zero-knowledge web app aka host proof app •verifiable
codebase •no tampering •wise password handling Thursday, January 20, 2011
verifiable codebase Thursday, January 20, 2011
verifiable codebase •all source code available for inspection https://github.com/clipperz Thursday,
January 20, 2011
verifiable codebase •all source code available for inspection https://github.com/clipperz •app
served as a single, static, HTML file Thursday, January 20, 2011
verifiable codebase •all source code available for inspection https://github.com/clipperz •app
served as a single, static, HTML file •browsers do not support checksum verification #fail Thursday, January 20, 2011
no tampering Thursday, January 20, 2011
no tampering application code should not be modifiable by any
data returned by the server Thursday, January 20, 2011
no tampering application code should not be modifiable by any
data returned by the server •javascript is very dynamic Thursday, January 20, 2011
no tampering application code should not be modifiable by any
data returned by the server •javascript is very dynamic •eval(…) is your enemy here Thursday, January 20, 2011
password handling Thursday, January 20, 2011
password handling password should never be sent to server Thursday,
January 20, 2011
password handling password should never be sent to server •SRP
authentication Thursday, January 20, 2011
password handling password should never be sent to server •SRP
authentication •only verifiers are stored and exchanged Thursday, January 20, 2011
security tradeoffs Thursday, January 20, 2011
security tradeoffs features Thursday, January 20, 2011
security tradeoffs features security Thursday, January 20, 2011
security tradeoffs features security Thursday, January 20, 2011
security tradeoffs features security Thursday, January 20, 2011
being paranoid Thursday, January 20, 2011
being paranoid clipperz does not store neither the password, Thursday,
January 20, 2011
being paranoid clipperz does not store neither the password, nor
the username Thursday, January 20, 2011
being paranoid clipperz does not store neither the password, nor
the username •users can still login! #ftw Thursday, January 20, 2011
being paranoid clipperz does not store neither the password, nor
the username •users can still login! #ftw •multiple accounts can share the same username! #wtf Thursday, January 20, 2011
features?! Thursday, January 20, 2011
features?! password manager Thursday, January 20, 2011
features?! password manager playground to test how far this architecture
could go Thursday, January 20, 2011
features?! password manager playground to test how far this architecture
could go • features Thursday, January 20, 2011
features?! password manager playground to test how far this architecture
could go • features • convenience Thursday, January 20, 2011
features?! password manager playground to test how far this architecture
could go • features • convenience • reliability Thursday, January 20, 2011
features!! Thursday, January 20, 2011
features!! direct logins Thursday, January 20, 2011
features!! direct logins one-click access to most sites #ftw Thursday,
January 20, 2011
features!! direct logins one-click access to most sites ✘ some
#cool ✓ Thursday, January 20, 2011
features!! Thursday, January 20, 2011
features!! one time password Thursday, January 20, 2011
features!! one time password access your data without typing your
password Thursday, January 20, 2011
features!! one time password access your data without typing your
password great for using clipperz from an internet caffè Thursday, January 20, 2011
features!! Thursday, January 20, 2011
features!! offline copy Thursday, January 20, 2011
features!! offline copy full application (including your own data) packed
into a single html file Thursday, January 20, 2011
features!! offline copy full application (including your own data) packed
into a single html file no external resources used Thursday, January 20, 2011
features!! Thursday, January 20, 2011
hidden features!! Thursday, January 20, 2011
hidden features!! hashcash Thursday, January 20, 2011
hidden features!! hashcash avoid bots access without bothering users with
nasty capcha puzzles Thursday, January 20, 2011
odd side effects!! Thursday, January 20, 2011
odd side effects!! no page reload Thursday, January 20, 2011
odd side effects!! no page reload otherwise credential values are
lost, and the user needs to type them in again #fail Thursday, January 20, 2011
odd side effects!! Thursday, January 20, 2011
odd side effects!! no fancy web-2.0 mash-ups Thursday, January 20,
2011
odd side effects!! no fancy web-2.0 mash-ups difficult to integrate
into other products without relaxing security concerns Thursday, January 20, 2011
odd side effects!! no fancy web-2.0 mash-ups difficult to integrate
into other products without relaxing security concerns and we are paranoid! Thursday, January 20, 2011
clipperz http://www.clipperz.com
[email protected]
THANKS Thursday, January 20, 2011