HackerTrans
トップ新着トレンドコメント過去質問紹介求人

xori

no profile record

コメント

xori
·5 か月前·議論
~~Written by the same people?~~

EDIT: ha, confused with https://wiki.xxiivv.com/site/uxn.html
xori
·8 か月前·議論
The real question is can Windows defender scan these drives?
xori
·12 か月前·議論
I've been wanting to do this for ages. Originally I wanted to do this at the home router level, but that quickly got shut down when I got a test net up and running and my friends could control the Chromecasts in my house.

For us a "tailscale" equivalent with SoftEther is what we used to manage the DNS/Tunneling for our fileshare/services.

So cool to see more people playing in this space. Please post more! <3
xori
·昨年·議論
"How do you get corporate secrets out of a software engineer? Sit them next to another engineer on a plane."
xori
·昨年·議論
Well they aren't in Canada for me yet, but that's probably because we aren't the public that needs to know.
xori
·2 年前·議論
"Show me what you got"
xori
·2 年前·議論
I understand, but things like https://github.com/GoogleChromeLabs/comlink enable it. Similar to how iFrames don't have access to their parent page you need a facilitator. My question is why not use a js facilitator that could work in all browsers, rather than just Chrome.

I find it an interesting choice that the author decided to invest in new iFrame technology rather than existing multi-thread technology in the browser.
xori
·2 年前·議論
I see it now, I don't know how I missed it.
xori
·2 年前·議論
Why reach for iFrames over other technology like WebWorkers?
xori
·2 年前·議論
I'm confident then that you can skip the base64 encoded header and just have the server use the jwt passed in the bearer token and the new signature you propose. (As the base64 encoded version can be reconstructed from the JWT itself)

But I think ideally I would use a wrapped JWT with `"alg": "ES256"` and just pass it as normal in a bearer token[0] as JWTs natively support signed primitives.

[0]: https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzI1NiIsInR5cC...
xori
·2 年前·議論
When you `.get` a credential you can provide a challenge that it signs which you can make the JWT. With an added bonus that this passkey can exist on your phone or password manager which you can use to authenticate on a different device while still feeling confident in it's security.
xori
·2 年前·議論
Yeah that does it for new keys generated, any old keys in IDB obviously still are exposed.
xori
·2 年前·議論
Rather than generating key data on the client in the open, and storing it in IDB, I would recommend the Credential Management API[0]. Hand off the responsibility to proper generation and storage to the user agent. Then do your signing of the JWT with them instead.

[0]: https://developer.mozilla.org/en-US/docs/Web/API/Credential_...
xori
·2 年前·議論
so I don't fully understand what you're preventing

    const db = await openDatabase();
    const keyPair = await getKeyPair(db);
    await crypto.subtle.exportKey("jwk", keyPair.privateKey)
exports the private key if I have a XSS vuln.

The recommendation for IP address in the JWT is good, but I don't understand your last recommendation of 1) sending the JWT, 2) additionally sending the base64 JWT in a header 3) sending the signature in the header. The crypto.subtle api only works on https domains so you're not defending against mitm attacks on unsecure networks either. And if we can't trust TLS what can we trust on the web?
xori
·2 年前·議論
Not much here explicitly in the source code dump. A little insight into their worker node infra but no "secret sauce" imo.
xori
·2 年前·議論
Hyperswarm has been my go-to for stuff like this, but you bring up a good point that I don't think it's encrypted.

https://github.com/holepunchto/hyperswarm
xori
·4 年前·議論
I don't know if 5 miles is long enough for the people who actually need it, but if I was a postal worker, these would be pretty sweet. And 1400 USD is cheaper than some car insurance here in Canada for young males.
xori
·4 年前·議論
JPGs are not security, and moving JPGs can be fabricated very easily. Some v-tuber software with a deepfake GAN strapped to it I feel like would fool 1-on-1 meetings too.

I got my weekend project.
xori
·5 年前·議論
> we can't decrypt your data.

But I thought the point of the cages, is that _do_ decrypt the data. And any government mandated backdoors would then go into that process. You're not doing any homomorphic encryption here.

I guess my issue, is that you see both the keys and data, not just one.
xori
·5 年前·議論
It's actually built into vanilla android https://support.google.com/googleplay/answer/9283534?hl=en