How do we ensure that *this* site isn't hijacked, and someone is trying to insert malicious javascript? about emberclear HOT 5 OPEN

Hey could you be a bit more precise?
What do you mean with hijacking?
Where would someone inject malicious javascript?

from emberclear.

Hey could you be a bit more precise?

Of course!

That do you mean with hijacking?

Like, if someone were to hijack DNS, or Netlify (the hosting provider for then://emberclear.io), and maybe built their own version of emberclear that steals private keys, is there a way to notify the user that the app has been compromised?

Where would someone inject malicious javascript?

Anywhere in app.js or vendor.js, or, in any of the dynamically loaded J's libraries (see the prism.js issue)

from emberclear.

Ah I understand now.
Regarding the DNS hijacking you can't really do much.
The way I would do it is have the emberclear.io frontend talk to a separate backend server (database) via API calls and have the server only accept connections/requests from that frontend server.

To notify users you could ask them for an email address but that defeats the purpose, they could follow a social media channel instead.

If you're worried about dynamically loaded Javascript libraries you should host them on a CDN yourself and periodically push them live after verifying and set up Content Security Policies (CSP).

There might be some easier ways to go on about this, but that's what I know.

from emberclear.

Regarding the DNS hijacking you can't really do much.

hm, I wonder if there is some check we can do if someone already has the assets downloaded (this app has service workers)

The way I would do it is have the emberclear.io frontend talk to a separate backend server (database) via API calls and have the server only accept connections/requests from that frontend server.

The (currently only) relay is hosted at heroku, so, there is that :)
There is no authentication though, because auth is p2p -- the server literally just relays messages to connected clients.

To notify users you could ask them for an email address but that defeats the purpose, they could follow a social media channel instead.

Yeah, email address would be a no-go, this app is for 'anonymous' communication -- the relay doesn't track/log anything.

If you're worried about dynamically loaded Javascript libraries you should host them on a CDN yourself and periodically push them live after verifying and set up Content Security Policies (CSP).

Yeah, I wonder if the prism.js issue can be mitigated by just hosting prism myself. I like this idea. I'm currently using cdn.jsdelivr

There might be some easier ways to go on about this, but that's what I know.

thanks! this has been helpful!

from emberclear.

hm, I wonder if there is some check we can do if someone already has the assets downloaded (this app has service workers)

Maybe set a local storage/cookie flag with a hashsum of the current asset version?
I know that there is a way via header tags as well, but I'm not too familiar with that.

The (currently only) relay is hosted at heroku, so, there is that :)
There is no authentication though, because auth is p2p -- the server literally just relays messages to connected clients.

Yeah you'd have to get a second server acting as a database which only trusts your frontend server.

Yeah, email address would be a no-go, this app is for 'anonymous' communication -- the relay doesn't track/log anything.

Yeah I figured.

Yeah, I wonder if the prism.js issue can be mitigated by just hosting prism myself. I like this idea. I'm currently using cdn.jsdelivr

Definitely make sure to host a version yourself. If they update a Javascript library this most likely won't affect you unless you want to use a new feature, but then you'd have to update the application anyway.

thanks! this has been helpful!

No problem, shoot me DM via Twitter if you have any other questions and I'll see if I can help out.

Good luck!

from emberclear.