Comments (5)
Hey could you be a bit more precise?
What do you mean with hijacking?
Where would someone inject malicious javascript?
from emberclear.
Hey could you be a bit more precise?
Of course!
That do you mean with hijacking?
Like, if someone were to hijack DNS, or Netlify (the hosting provider for then://emberclear.io), and maybe built their own version of emberclear that steals private keys, is there a way to notify the user that the app has been compromised?
Where would someone inject malicious javascript?
Anywhere in app.js or vendor.js, or, in any of the dynamically loaded J's libraries (see the prism.js issue)
from emberclear.
Ah I understand now.
Regarding the DNS hijacking you can't really do much.
The way I would do it is have the emberclear.io frontend talk to a separate backend server (database) via API calls and have the server only accept connections/requests from that frontend server.
To notify users you could ask them for an email address but that defeats the purpose, they could follow a social media channel instead.
If you're worried about dynamically loaded Javascript libraries you should host them on a CDN yourself and periodically push them live after verifying and set up Content Security Policies (CSP).
There might be some easier ways to go on about this, but that's what I know.
from emberclear.
Regarding the DNS hijacking you can't really do much.
hm, I wonder if there is some check we can do if someone already has the assets downloaded (this app has service workers)
The way I would do it is have the emberclear.io frontend talk to a separate backend server (database) via API calls and have the server only accept connections/requests from that frontend server.
The (currently only) relay is hosted at heroku, so, there is that :)
There is no authentication though, because auth is p2p -- the server literally just relays messages to connected clients.
To notify users you could ask them for an email address but that defeats the purpose, they could follow a social media channel instead.
Yeah, email address would be a no-go, this app is for 'anonymous' communication -- the relay doesn't track/log anything.
If you're worried about dynamically loaded Javascript libraries you should host them on a CDN yourself and periodically push them live after verifying and set up Content Security Policies (CSP).
Yeah, I wonder if the prism.js issue can be mitigated by just hosting prism myself. I like this idea. I'm currently using cdn.jsdelivr
There might be some easier ways to go on about this, but that's what I know.
thanks! this has been helpful!
from emberclear.
hm, I wonder if there is some check we can do if someone already has the assets downloaded (this app has service workers)
Maybe set a local storage/cookie flag with a hashsum of the current asset version?
I know that there is a way via header tags as well, but I'm not too familiar with that.
The (currently only) relay is hosted at heroku, so, there is that :)
There is no authentication though, because auth is p2p -- the server literally just relays messages to connected clients.
Yeah you'd have to get a second server acting as a database which only trusts your frontend server.
Yeah, email address would be a no-go, this app is for 'anonymous' communication -- the relay doesn't track/log anything.
Yeah I figured.
Yeah, I wonder if the prism.js issue can be mitigated by just hosting prism myself. I like this idea. I'm currently using cdn.jsdelivr
Definitely make sure to host a version yourself. If they update a Javascript library this most likely won't affect you unless you want to use a new feature, but then you'd have to update the application anyway.
thanks! this has been helpful!
No problem, shoot me DM via Twitter if you have any other questions and I'll see if I can help out.
Good luck!
from emberclear.
Related Issues (20)
- Weekly Digest (5 July, 2020 - 12 July, 2020)
- Weekly Digest (12 July, 2020 - 19 July, 2020)
- Webrtc resources
- Weekly Digest (19 July, 2020 - 26 July, 2020)
- Weekly Digest (26 July, 2020 - 2 August, 2020)
- Weekly Digest (2 August, 2020 - 9 August, 2020)
- Create embeddable floating widget
- New app: decentralized Pinochle HOT 1
- contacts keep disappearing HOT 9
- Investigate sqlite
- Web RTC
- Use ember-promise-worker to help reduce code in *this* repo
- actually do some maintenance HOT 4
- New Project Structure HOT 1
- Tips'n'Tricks -- general things learned while working on this project that could be used any any project HOT 1
- Uninstall Service Workers older than a week
- use navigator.onLine status changes to reboot the socket connection
- Try disabling AMD? HOT 1
- Use popper for popup/overlay positioning
- Weekly Digest (28 June, 2020 - 5 July, 2020)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emberclear.