Clojurians Log v2

Clojure programming

Channels

# 100-days-of-code # aatree # admin-announcements # adventofcode # ai # alda # aleph # all-the-channels # announcements # arachne # architecture # asami # atlanta-clojurians # atom-editor # autochrome-github # avi # aws # aws-lambda # babashka # babashka-sci-dev # bangalore-clj # beginners # berlin # biff # bigdata # bitcoin # boot # boot-dev # boulder-clojurians # braid-chat # braveandtrue # brevis # bristol-clojurians # business # calva # capetown # carry # cbus # cestmeetup # chestnut # chlorine-clover # cider # circleci # clara # clj-commons # cljdoc # cljfx # clj-http # clj-kondo # clj-on-windows # cljs-dev # cljs-experience # cljsfiddle # cljsjs # cljsrn # cljtogether # clojars # clojure # clojure-android # clojure-argentina # clojure-art # clojure-austin # clojure-australia # clojure-austria # clojure-bangladesh # clojure-bay-area # clojure-beijing # clojure-belgium # clojure-berlin # clojure-boston # clojure-brasil # clojurebridge # clojurebridge-ams # clojure-canada # clojure-chennai # clojure-chicago # clojure-china # clojure-colombia # clojure-conj # clojurecup # clojure-czech # clojured # clojure-denmark # clojure-denver # clojure-derby # clojuredesign-podcast # clojure-dev # clojure-dusseldorf # clojure-ecuador # clojure-egypt # clojure-estonia # clojure-europe # clojure-filipino # clojure-finland # clojure-france # clojure-gamedev # clojure-germany # clojure-greece # clojure-guangzhou # clojure-hamburg # clojure-hk # clojure-houston # clojure-hungary # clojure-india # clojureindia # clojure-indonesia # clojure-ireland # clojure-israel # clojure-italy # clojure-japan # clojure-kc # clojure-korea # clojure-losangeles # clojure-madison # clojure-mexico # clojure-miami # clojure-mk # clojure-mke # clojure-morsels # clojure-my # clojure-new-zealand # clojure-nl # clojure-nlp # clojure-norway # clojure-poland # clojure-portugal # clojure-provo # clojure-quebec # clojureremote # clojure-romania # clojure-russia # clojure-sanfrancisco # clojurescript # clojurescript-ios # clojure-sdn # clojure-seattle # clojure-serbia # clojure-sg # clojure-shanghai # clojure-spain # clojure-spec # clojuresque # clojure-survey # clojure-sweden # clojure-switzerland # clojure-taiwan # clojure-turkiye # clojure-uk # clojure-ukraine # clojureverse-ops # clojurewerkz # clojurewest # clojurex # clojure-za # clojurian-chat-app # clojutre # cloverage # cloxp # clr # code-art # code-reviews # community-development # component # conf-proposals # conjure # consulting # contributions-welcome # copenhagen-clojurians # core-async # core-logic # core-matrix # core-typed # cryogen # crypto # css # cursive # cz-clojure # d2q # datacrypt # datahike # datalevin # datalog # data-oriented-programming # data-science # datascript # datavis # dato # datomic # defnpodcast # deps-new # depstar # devcards # devops # dirac # docker # docs # domino-clj # duct # dunaj # eastwood # editors # emacs # error-message-catalog # etaoin # ethereum # euroclojure # events # exercism # expound # figwheel # figwheel-main # flambo # fulcro # funcool # functionalprogramming # funimage # garden # ghostwheel # girouette # gis # google-cloud # gorilla # graalvm # graalvm-mobile # graclj # graphql # gratitude # gsoc # hammock-driven-dev # helix # heroku # hispano # holy-lambda # honeysql # hoplon # hugsql # humor # hypercrud # hyperfiddle # immutant # improve-getting-started # incanter # indycljs # inf-clojure # instaparse # integrant # interceptors # interop # introduce-yourself # iot # iotivity # ipfs # jackdaw # jaunt # java # javascript # javelin # jobs # jobs-discuss # jobs-rus # joker # jukebox # juxt # jvm # kaocha # keechma # kekkonen # keyboards # klipse # kosmos # lambdaisland # ldnclj # ldnproclodo # lein-figwheel # leiningen # liberator # liquid # livestream # local-first-clojure # london-clojurians # lsp # luminus # lumo # mail # malli # mathematics # meander # melbourne # membrane # mental-health # microservices # mid-cities-meetup # midje # minecraft # minimallist # missionary # monads # mount # music # new-channels # new-clojure # nextjournal # nginx # nrepl # numerical-computing # nyc # observability # off-topic # om # om-next # onyx # other-languages # other-lisps # overtone # pamela # parinfer # pathom # pedestal # perun # philosophy # phzr # planck # plastic # play-clj # podcasts # polylith # portal # portkey # portland-or # powderkeg # practicalli # precept # prelude # programming-beginners # project-updates # proletarian # proton # protorepl # pulsar # pure-frame # qa # qlkit # quil # random # rdf # react # reactive # reading-clojure # reagent # reclojure # re-frame # reitit # releases # remote-jobs # respo # rethinkdb # reveal # rewrite-clj # ring # ring-swagger # robots # rum # schema # sci # sfcljs # shadow-cljs # _silence # sim-testing # sioux-falls # slack-help # sneer # sneer-br # spacemacs # specmonstah # specter # speculative # spirituality-ethics # sql # startup-in-a-month # sydney # test200 # test-check # testing # thejaloniki # timbre # tmp-json-parsing # tools-build # tools-deps # trading # tree-sitter # uncomplicate # unrepl # untangled # utah-clojurians # videos # vim # vrac # vscode # wasm # web-security # windows # xtdb # yada # yleinen

Apps

clojure-boston

2016-04-19T12:48:49.000011Z

WRT to security, would people be interested in developing a cryptographically secure chat program?

2016-04-19T12:49:47.000012Z

I imagine we could all have separate devcard different teams are editing and I could set up the server to do a pub/sub type thing

2016-04-19T12:52:16.000013Z

I'd have to do some legwork to get the environment set up nicely

mchampine 2016-04-19T13:37:12.000014Z

@xcthulhu: I'd be interested in that. Lots of decisions to make up-front, e.g. would we be assembling this from existing parts (e.g. there are existing libs for both chat and crypto in Clojure) or trying to roll our own? Use TLS for comms or more basic primitives? How to managed and distributed keys, etc. These decisions hinge on what we're trying to get out of it: a secure system, or to learn our way around using cryptographic tools, and/or to learn about building networked apps. Maybe schedule a planning meeting at a future meetup, or continue discussing the ideas here.

2016-04-19T13:41:26.000015Z

Well, here's what I'd go with:

2016-04-19T13:41:40.000016Z

(1) sente for doing server relay https://github.com/ptaoussanis/sente

2016-04-19T13:43:01.000018Z

In my efforts to unit test it I already figured out how to get it to act as a relay server for a chat https://github.com/ptaoussanis/sente/pull/215

2016-04-19T13:47:27.000021Z

(2) I'd have clients generate their own public/private keys in ClojureScript running in the browser rather than go through TLS. This is the security model Proton Mail has ; in this architecture the server has no visibility at all into the content of the encrypted messages

2016-04-19T13:59:17.000022Z

This could be done via the SJCL, which I've wrapped here for clojurescript: https://github.com/xcthulhu/sjcl-cljs

2016-04-19T14:00:10.000024Z

Alternatively we could go with elliptic, which has better performance but I'm still trying to wrestle with to figure out its externs and whether I need to do anything to get it to play nice with the Closure compiler: https://github.com/indutny/elliptic

2016-04-19T15:13:48.000026Z

that sounds really cool

2016-04-19T15:14:05.000027Z

I don't know much about cryptography, so I think it would be a neat opportunity to learn.

mchampine 2016-04-19T15:15:38.000028Z

A ClojureScript client! Interesting idea. I haven't done much ClojureScript or JS crypto. I had been thinking Aleph for the chat comms: http://alexkehayias.tumblr.com/post/28783286946/a-simple-real-time-chat-server-using-clojure-and . A web client would surely be appealing - though we'd be closer to the bleeding edge. Very cool that you've wrappered the Stanford JS crypto. That lib would have been really handy years ago when I wanted to build an all-JS SRP client. (I've always found SRP to be an impressive bit of crypto). What's wrong with the ECC in the Standford JS Lib? Too low level, or incomplete?

mchampine 2016-04-19T15:25:45.000030Z

I did several projects with ECC back in the late 90's with HP. We had some PhDs from Waterloo writing the core algos, and I packaged it up for general use, e.g. my ECDSA crypto provider for early prototypes of W3C Digital Signature initiative.

2016-04-19T15:30:26.000031Z

I've used sente before, and it's pretty easy to use. If all we're doing on the server is relaying messages to clients, that would be very straightforward to implement using sente.

henrytill 2016-04-19T15:42:14.000032Z

+1 for the idea. +1 for Aleph as well.

mchampine 2016-04-19T15:42:20.000033Z

Does it make sense to have both web and desktop clients? Maybe for a 2nd phase? Not sure that Sente makes sense for non-JS clients though. For non-JS crypto we could use buddy (layered on BouncyCastle) or caesium (layered on libsodium). The alternative to a true desktop app might be to stay in JS and write an Electron client for those that want a desktop-ish experience.

henrytill 2016-04-19T15:42:40.000034Z

or try WebRTC!

mchampine 2016-04-19T15:42:54.000035Z

There ya go!

henrytill 2016-04-19T15:43:34.000036Z

most people use http-kit with sente?

2016-04-19T15:44:33.000037Z

> What's wrong with the ECC in the Standford JS Lib? The SJCL is super messy, writing the externs for it was horrible

2016-04-19T15:45:25.000038Z

Also, it doesn't support Ed25519, unlike elliptic: https://ed25519.cr.yp.to/

mchampine 2016-04-19T15:45:26.000040Z

Probably mostly http-kit w/ sente. I guess the immutant lib is super fast tho.

henrytill 2016-04-19T15:45:51.000041Z

I've heard...mixed things about http-kit

mchampine 2016-04-19T15:46:19.000042Z

there's always nginix

mchampine 2016-04-19T15:46:27.000043Z

oops, nginx

2016-04-19T15:49:36.000045Z

I really wish sente supported Clojure clients, btw, since there's no omnibus network message layer for Clojure(Script)

2016-04-19T15:50:47.000046Z

I started something that exposes the same crypto API for Clojure(Script) btw: https://github.com/xcthulhu/bitauth

2016-04-19T15:51:05.000048Z

No ECDH which is annoying

henrytill 2016-04-19T15:52:42.000050Z

well i really like the idea of doing the client w/keygen in cljs with "dumb" server in clj

2016-04-19T15:53:12.000051Z

End-to-end crypto is the industry trend: http://techcrunch.com/2016/04/19/viber-adds-end-to-end-encryption-hidden-chats-universal-delete-as-messaging-app-privacy-grows/?ncid=rss

henrytill 2016-04-19T15:53:18.000053Z

too true

2016-04-19T15:53:53.000054Z

I'd love to do WebRTC too, but I've honestly never rolled my own DHT

2016-04-19T15:54:14.000055Z

Nor architected a gossip network

henrytill 2016-04-19T15:55:38.000056Z

yes, it could widen the scope of the workshop quite a bit

henrytill 2016-04-19T15:55:42.000057Z

😛

2016-04-19T15:58:57.000058Z

Gossip networks have security concerns too; naïve ones are very weak against DDOS

2016-04-19T15:59:08.000059Z

Yeah, there's a lot of fun

2016-04-19T16:00:51.000060Z

Anyway, I can try and hurry to get my little bitauth repo in better order so we can do ECDH

2016-04-19T16:01:09.000061Z

Since that's a massive PITA

henrytill 2016-04-19T16:01:17.000062Z

Looks cool.

henrytill 2016-04-19T16:01:37.000063Z

I think we can shelve the WebRTC idea just to keep things manageable...

2016-04-19T16:03:25.000064Z

I'd love to do it eventually