Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add frontend #30

Open
fxnn opened this issue Jan 2, 2018 · 2 comments
Open

add frontend #30

fxnn opened this issue Jan 2, 2018 · 2 comments

Comments

@fxnn
Copy link
Owner

fxnn commented Jan 2, 2018

No description provided.

fxnn added a commit that referenced this issue Jan 4, 2018
that's just the unchanged code from `create-react-app` cmd,
cf. https://reactjs.org/docs/add-react-to-a-new-app.html
fxnn added a commit that referenced this issue Jan 4, 2018
* sass integrated just as stated in tutorial (README.md)
* bulma is loaded from node_modules
fxnn added a commit that referenced this issue Jan 4, 2018
* sass integrated just as stated in tutorial (README.md)
* bulma is loaded from node_modules
fxnn added a commit that referenced this issue Jan 4, 2018
fxnn added a commit that referenced this issue Jan 4, 2018
* sass integrated just as stated in tutorial (README.md)
* bulma is loaded from node_modules
fxnn added a commit that referenced this issue Jan 4, 2018
they are now auto generated
fxnn added a commit that referenced this issue Jan 4, 2018
they are now auto generated
fxnn added a commit that referenced this issue Jan 4, 2018
@fxnn
Copy link
Owner Author

fxnn commented Jan 7, 2018

For encrypting the responses, we should pobably not rely upon RSA, see for this StackExchange answer. Maybe, as suggested there, AES would be a better choice -- the request is already encrypted, so we could without a problem send the symmetric key together with the request.

Besides, interesting JavaScript libraries in RSA context are

  • juliangruber/keypair, supporting solely RSA key generation
  • wwwtyro/cryptico, supporting RSA key generation without random source, but with a passphrase, together with AES-based encryption and decryption and signing. We could probably use the libraries cryptico uses for a pure AES case (in terms of key generation from a passphrase).
  • travist/jsencrypt, which only seems to supported encryption and decryption based on a given key.

fxnn added a commit that referenced this issue Jan 7, 2018
@fxnn
Copy link
Owner Author

fxnn commented Jan 14, 2018

  • The deadbox webapp is meant to process private, sensitive data. When not being secure, there'd be no reason to use this app, so this has highest priority.
  • We must be careful who to trust.
    • Third party libraries and build tools must not be trusted blindly.
    • Everyone must be able to verify the whole code of the webapp at any time. Therefore, the codebase must be as small as possible, but not minified.
    • Unfortunately, this forbids the use of transpilers. Yet, we can use ES6 if we decide to drop support for older browsers.
    • When using third party libraries and build tools, they must be very popular, thus having the highest probability of being reviewed by a lot of people.
  • As many security relevant functions must be taken from third party libraries (as that's way more secure than implementing them ourselves). Candidates are:
    • digitalbazaar/forge, which is fast, mature (since 2009/2010, >1,400 commits, 50 contributors) and gained a lot of attention (>2,000 stars on GitHub, >100,000 GitHub dependents).
      It implements a huge lot of crypto standards (amongst them AES, RSA, X509, SHA1+2, HMAC, PRNG, some encodings). On the downside, it uses quite a lot build tools / devDependencies.
    • bitewiseshiftleft/sjcl aka Stanford Javascript Crypto Library, which is also fast,
      mature (since 2009, >400 commits, and 45 contributors) and gained a lot of attention (>4,000 stars on GitHub, but only 1,000 GitHub dependents). It implements a fair set of crypto standards (amongst them AES, SHA1+2, ECC, HMAC, PRNG, some encodings). It has only two devDependencies (eslint and jsDoc), but brings its own build tools in the repo.
  • We need a good pattern to plug together the UI. Big frameworks like React provide such patterns, but are possibly a bad fit in our above security requirements.
    • React, or its concurrents
    • Minimal React-like frameworks like
      • hyperapp/hyperapp, which is really popular (>10,000 stars on GitHub), has 100% test coverge, no dependencies and consists no more than 7.92 KiB JavaScript. For that, you'll get Virtual DOM nodes, the ELM Architecture and all that stuff.
      • creationix/domchanger copies the React approach, but replaces JSX with JSON-ML for DOM building. It's a zero-dependency, but yet 14.2 KiB library and not too popular (60 GitHub stars).
    • Alternative frameworks, like
      • leonidas/transparency, using the page's HTML as template and feeding in JSON data. It quite popular (>900 stars on GitHub).
      • gelbm/DOMBrew can build DOM nodes in 5.01 KiB. Rather unknown.
      • nicbell/Attach.js are just 1.8 KiB of JavaScript, allowing you to bind JavaScript callbacks to the DOM using selectors.
        It's rather unknown.
    • Rather vanilla-ish approaches:
    • Libs that don't provide DOM stuff, but could still be useful:

fxnn added a commit that referenced this issue Jan 15, 2018
fxnn added a commit that referenced this issue Jan 15, 2018
fxnn added a commit that referenced this issue Jan 15, 2018
fxnn added a commit that referenced this issue Jan 20, 2018
fxnn added a commit that referenced this issue Jan 20, 2018
fxnn added a commit that referenced this issue Jan 20, 2018
fxnn added a commit that referenced this issue Jan 28, 2018
fxnn added a commit that referenced this issue Nov 16, 2019
# Conflicts:
#	.gitignore
fxnn added a commit that referenced this issue Nov 16, 2019
fxnn added a commit that referenced this issue Nov 16, 2019
* webapp verification
* untrusted Drop
* plus, some README.md rework
fxnn added a commit that referenced this issue Nov 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant