Clojurians Log v2

Clojure programming

Channels

# 100-days-of-code # aatree # admin-announcements # adventofcode # ai # alda # aleph # all-the-channels # announcements # arachne # architecture # asami # atlanta-clojurians # atom-editor # autochrome-github # avi # aws # aws-lambda # babashka # babashka-sci-dev # bangalore-clj # beginners # berlin # biff # bigdata # bitcoin # boot # boot-dev # boulder-clojurians # braid-chat # braveandtrue # brevis # bristol-clojurians # business # calva # capetown # carry # cbus # cestmeetup # chestnut # chlorine-clover # cider # circleci # clara # clj-commons # cljdoc # cljfx # clj-http # clj-kondo # clj-on-windows # cljs-dev # cljs-experience # cljsfiddle # cljsjs # cljsrn # cljtogether # clojars # clojure # clojure-android # clojure-argentina # clojure-art # clojure-austin # clojure-australia # clojure-austria # clojure-bangladesh # clojure-bay-area # clojure-beijing # clojure-belgium # clojure-berlin # clojure-boston # clojure-brasil # clojurebridge # clojurebridge-ams # clojure-canada # clojure-chennai # clojure-chicago # clojure-china # clojure-colombia # clojure-conj # clojurecup # clojure-czech # clojured # clojure-denmark # clojure-denver # clojure-derby # clojuredesign-podcast # clojure-dev # clojure-dusseldorf # clojure-ecuador # clojure-egypt # clojure-estonia # clojure-europe # clojure-filipino # clojure-finland # clojure-france # clojure-gamedev # clojure-germany # clojure-greece # clojure-guangzhou # clojure-hamburg # clojure-hk # clojure-houston # clojure-hungary # clojure-india # clojureindia # clojure-indonesia # clojure-ireland # clojure-israel # clojure-italy # clojure-japan # clojure-kc # clojure-korea # clojure-losangeles # clojure-madison # clojure-mexico # clojure-miami # clojure-mk # clojure-mke # clojure-morsels # clojure-my # clojure-new-zealand # clojure-nl # clojure-nlp # clojure-norway # clojure-poland # clojure-portugal # clojure-provo # clojure-quebec # clojureremote # clojure-romania # clojure-russia # clojure-sanfrancisco # clojurescript # clojurescript-ios # clojure-sdn # clojure-seattle # clojure-serbia # clojure-sg # clojure-shanghai # clojure-spain # clojure-spec # clojuresque # clojure-survey # clojure-sweden # clojure-switzerland # clojure-taiwan # clojure-turkiye # clojure-uk # clojure-ukraine # clojureverse-ops # clojurewerkz # clojurewest # clojurex # clojure-za # clojurian-chat-app # clojutre # cloverage # cloxp # clr # code-art # code-reviews # community-development # component # conf-proposals # conjure # consulting # contributions-welcome # copenhagen-clojurians # core-async # core-logic # core-matrix # core-typed # cryogen # crypto # css # cursive # cz-clojure # d2q # datacrypt # datahike # datalevin # datalog # data-oriented-programming # data-science # datascript # datavis # dato # datomic # defnpodcast # deps-new # depstar # devcards # devops # dirac # docker # docs # domino-clj # duct # dunaj # eastwood # editors # emacs # error-message-catalog # etaoin # ethereum # euroclojure # events # exercism # expound # figwheel # figwheel-main # flambo # fulcro # funcool # functionalprogramming # funimage # garden # ghostwheel # girouette # gis # google-cloud # gorilla # graalvm # graalvm-mobile # graclj # graphql # gratitude # gsoc # hammock-driven-dev # helix # heroku # hispano # holy-lambda # honeysql # hoplon # hugsql # humor # hypercrud # hyperfiddle # immutant # improve-getting-started # incanter # indycljs # inf-clojure # instaparse # integrant # interceptors # interop # introduce-yourself # iot # iotivity # ipfs # jackdaw # jaunt # java # javascript # javelin # jobs # jobs-discuss # jobs-rus # joker # jukebox # juxt # jvm # kaocha # keechma # kekkonen # keyboards # klipse # kosmos # lambdaisland # ldnclj # ldnproclodo # lein-figwheel # leiningen # liberator # liquid # livestream # local-first-clojure # london-clojurians # lsp # luminus # lumo # mail # malli # mathematics # meander # melbourne # membrane # mental-health # microservices # mid-cities-meetup # midje # minecraft # minimallist # missionary # monads # mount # music # new-channels # new-clojure # nextjournal # nginx # nrepl # numerical-computing # nyc # observability # off-topic # om # om-next # onyx # other-languages # other-lisps # overtone # pamela # parinfer # pathom # pedestal # perun # philosophy # phzr # planck # plastic # play-clj # podcasts # polylith # portal # portkey # portland-or # powderkeg # practicalli # precept # prelude # programming-beginners # project-updates # proletarian # proton # protorepl # pulsar # pure-frame # qa # qlkit # quil # random # rdf # react # reactive # reading-clojure # reagent # reclojure # re-frame # reitit # releases # remote-jobs # respo # rethinkdb # reveal # rewrite-clj # ring # ring-swagger # robots # rum # schema # sci # sfcljs # shadow-cljs # _silence # sim-testing # sioux-falls # slack-help # sneer # sneer-br # spacemacs # specmonstah # specter # speculative # spirituality-ethics # sql # startup-in-a-month # sydney # test200 # test-check # testing # thejaloniki # timbre # tmp-json-parsing # tools-build # tools-deps # trading # tree-sitter # uncomplicate # unrepl # untangled # utah-clojurians # videos # vim # vrac # vscode # wasm # web-security # windows # xtdb # yada # yleinen

Apps

crypto

2016-09-06T16:40:01.000004Z

@vikeri Welcome to the sleepy security corner of clojurians.

vikeri 2016-09-06T16:50:58.000005Z

@xcthulhu: haha thanks!

2016-09-06T17:16:00.000006Z

@vikeri The only other guy I know around here who also does security is @lvh - he maintains a NaCl wrapper - https://github.com/lvh/caesium

2016-09-06T17:17:01.000008Z

Server-side only though, I personally believe there will be a massive demand for JS crypto as developers spend more and more time in the JS VM

lvh 2016-09-06T17:25:35.000009Z

hello

lvh 2016-09-06T17:25:49.000010Z

yeah, so, JS crypto

lvh 2016-09-06T17:26:04.000011Z

I need to write up some thoughts around that

vikeri 2016-09-06T17:48:36.000012Z

@lvh @xcthulhu interesting! Yes there will definitely be a big demand for js crypto, not only all the node apps, but things like react native will increase demands as well. One may reach out to Java or Obj-C but it would definitely be more convenient to stay in the js realm.

lvh 2016-09-06T17:49:51.000013Z

that’s a significant difference though; if you’re running in react native you can probably libffi out

lvh 2016-09-06T17:50:07.000014Z

you don’t get to do that as much with browser crypto

lvh 2016-09-06T17:50:30.000015Z

my main concern is threat models (or ostensible lack thereof)

lvh 2016-09-06T17:50:43.000016Z

I can think of a handful of usecases where it works reasonably well

lvh 2016-09-06T17:50:55.000017Z

1. KDFing in the browser, which may or may not be sane

lvh 2016-09-06T17:51:22.000018Z

2. compatibility with some other thing where you do have a way to ship code

2016-09-06T17:51:33.000019Z

@lvh: You know that the closure-library ships with PKDF2, right?

lvh 2016-09-06T17:52:07.000020Z

sure, there’s plenty of pure-js crypto that exists

lvh 2016-09-06T17:52:30.000021Z

I’m not sure if you intended that to impact my point

lvh 2016-09-06T17:52:42.000022Z

or if it was just a by-the-way comment

2016-09-06T17:54:00.000023Z

Just a by-the-way, really. You can effectively wrap FFI calls in Chrome/Safari/FireFox via the W3C WebCrypto API - https://www.w3.org/TR/WebCryptoAPI/

2016-09-06T17:55:59.000024Z

Probably the biggest downside is that JSC doesn't implement it, which is what all of the ReactNative app developers want.

2016-09-06T17:56:58.000025Z

I guess you wouldn't be super happy with it either, since it doesn't implement ED25519 or Twisted Edwards curves in general.

2016-09-06T18:12:07.000026Z

Also, there's no particular way to protect crypto from getting overridden, so an attacker could inject JS and hack it to produce signatures with recoverable private keys.

lvh 2016-09-06T18:52:31.000027Z

right

lvh 2016-09-06T18:52:51.000028Z

so: nodejs ffi crypto, no problem

lvh 2016-09-06T18:52:59.000029Z

pure JS crypto: not intrinsically bad

lvh 2016-09-06T18:53:27.000030Z

just that everyone I’ve talked to so far in depth who wanted either a) wanted compatibility with another thing where they could securely ship crypto or b) it hadn’t really thought about their threat model

2016-09-06T19:31:04.000031Z

@lvh For my own work, I want it because I need to do user authentication by third parties out of band.

2016-09-06T19:31:45.000032Z

Clients I have talked to want it to avoid having so-called hot-wallets on their servers which are a massive liability.

2016-09-06T19:39:03.000033Z

It's worth noting in the little cottage industry of JavaScript P2P networks, folks reimplement JS crypto time and time again. Here's the one libp2p uses - https://github.com/libp2p/js-libp2p-crypto/blob/master/src/keys/rsa.js

lvh 2016-09-06T19:42:11.000035Z

right; so my problem isn’t “I can’t figure out why you might want that”, but rather “in-browser, I can’t think of any use cases where the server couldn’t trivially compromise it in the manner you described above anyway"

2016-09-06T19:44:31.000036Z

If it's bundled in a ReactApp, I suppose you place your trust in the Google and Apple stores.

2016-09-06T19:50:41.000037Z

I have recommended to my clients hell-bent on having browser wallets that they use IPFS. The state of the industry is horrible right now, but there is a browser plugin for this - https://github.com/dylanPowers/ipfs-chrome-extension

2016-09-06T19:51:31.000039Z

The plan is to move away from calling the IPFS daemon and use JavaScript instead.

2016-09-06T19:57:28.000040Z

@lvh: Anyway, even if you are placing trust in the server for content delivery, wouldn't having JavaScript handle all of private-key signatures for a digital currency wallet spare you from storing them on the backend?

2016-09-06T19:59:28.000041Z

So you wind up with less attack surface, because a DB filled with hot-wallets is a very easy target for a thief compared to hacking some JS to send you private keys or passwords out of band.

2016-09-06T20:00:00.000042Z

Or in band, I guess, if you've accessed the server...

lvh 2016-09-06T20:00:58.000043Z

It’s a different threat surface, I’m not sure it’s less

lvh 2016-09-06T20:01:27.000044Z

It becomes a lot easier to steal a hot wallet with anything targeting that user’s browser

lvh 2016-09-06T20:03:52.000045Z

So if the question is “is stealing hot wallets easier if they’re all on the server versus if you have to compromise them on clients via content delivery” then, I guess; is it better than the content delivery problem plus CSRF/XSS? maybe less sure

2016-09-06T20:18:14.000046Z

You can steal passwords just as easily as you can steal private keys if you compromise content delivery, right?

lvh 2016-09-06T20:18:38.000047Z

Yes