HackerTrans
TopNewTrendsCommentsPastAskShowJobs

boris1

no profile record

Submissions

Website switcheroo: links opening in tabs are dangerous (Tab Nabbing)

borisreitman.medium.com
2 points·by boris1·5 jaar geleden·0 comments

Problems with ancient musical scales

borisreitman.medium.com
22 points·by boris1·5 jaar geleden·11 comments

Diffie-Hellman for the layman

borisreitman.medium.com
21 points·by boris1·5 jaar geleden·8 comments

Show HN: Diffie-Hellman exchange for the layman

borisreitman.com
75 points·by boris1·5 jaar geleden·52 comments

Verification of Self-Signed Certificates

dev.to
1 points·by boris1·5 jaar geleden·0 comments

Verification of Self-Signed Certificates (In Python)

dev.to
1 points·by boris1·5 jaar geleden·0 comments

comments

boris1
·5 jaar geleden·discuss
I've now implemented folder encryption. If you encrypt folder 'foo', you get the file 'foo.encrypted'. When you decrypt it using the same tool, you get file 'foo.zip' which you download and uncompress into a folder 'foo'.
boris1
·5 jaar geleden·discuss
Update: the tool now allows to encrypt (and decrypt) files. It works in mobile browser too.
boris1
·5 jaar geleden·discuss
The check digits solve the MITM problem. You should compare them by another channel than email, such as text message. This is called "Short Authentication String" (SAS).
boris1
·5 jaar geleden·discuss
Thanks, gonna fix it.
boris1
·5 jaar geleden·discuss
I've improved the encrypt/decrypt form. Now the textareas expand, and there's a copy to clipboard button in order to copy the output. It makes it much easier to use on the phone.
boris1
·5 jaar geleden·discuss
Yes, just do not write (mod p), as it can be misleading to the reader. A mathematician doesn't care, but in RFCs they call the (mod p) groups a "prime group" to differentiate it from the Elliptic Curve group. (In fact, I think they call them "prime fields", not merely groups).

I think the keys can be smaller because every random coordinate is a valid value (valid key), but in the case of RSA, valid values are more sparse.
boris1
·5 jaar geleden·discuss
I'm using Elliptic Curve variant. There's no "mod". But you got the general idea. Also, all the math is built-in and done natively by the browser.
boris1
·5 jaar geleden·discuss
The only way is to use another channel for the Short Authentication String (SAS) (check digits in my case). I recommend that people SMS them the check digits, and exchange the DH offers by email.
boris1
·5 jaar geleden·discuss
There's no difference for the MITM how I pick the Short Authentication String (SAS) (the check digits).

But there's a difference in terms of strength of the encryption key, if you are planning to use the full password as input to Key Derivation Function (KDF). If you make public the first 5 letters of a 44 letter password, you've just made lost some of the entropy.

By the way, based on a comment in this thread, I added a SHA-256 stage. I now hash the full password, and sum the bytes of the hash to generate the check digits.
boris1
·5 jaar geleden·discuss
I've simplified the page by creating two modes: "simple" and "advanced". By default "simple" is shown, and it's what you'd need if you are the recipient, rather than an initiator would would be normally more technical.
boris1
·5 jaar geleden·discuss
I've simplified the page by creating two modes: "simple" and "advanced". By default "simple" is shown, and it's what you'd need if you are the recipient, rather than initiator.
boris1
·5 jaar geleden·discuss
Do yourselves a favor, and read Ayn Rand. Monopolies are created by governments, and are impossible in laissez-faire. Apple has created the App store when MS was seen as a "monopoly" that no one could move. Innovations beats anyone who dominates the market. Google did the same to a Alta Vista and Lycos, just by being better.
boris1
·5 jaar geleden·discuss
I've made a new addition: now the operating system of the other party is also sent as part of the exchange. This info helps decide what software to use for further encryption. e.g. DMG or BitLocker? And, I managed to do it without making the string longer. I stuffed it in the unused bits of the compressed coordinate.
boris1
·5 jaar geleden·discuss
You are right about YouTube embed. The sw.js is sending stuff, and I don't want that. I'm going to put the YouTube into an overlay, and will remove it from DOM after it's watched. EDIT: it's done.
boris1
·5 jaar geleden·discuss
Note that I'm using the Elliptic Curve Diffie-Hellman (ECDH) exchaneg, which is an additive group. That's how I can get the shared keys down to a small size.
boris1
·5 jaar geleden·discuss
I didn't roll my own. I'm using built-in browser functionality, available under crypto.subtle object of the browser. You can review the code in my WebUtil library on Github @borisreitman. It's just a light wrapper on top of browser's functionality.
boris1
·5 jaar geleden·discuss
I'm the author. This is a good suggestion, and I have moved my picture from the side menu, to the top of the scrollable portion.
boris1
·5 jaar geleden·discuss
Good idea. I will change it, should be live in 1 hour. I am going to SHA-256 hash it, then add the bytes of the hash and mod by 10000. It's better than just taking the first two bytes, because I want a 4 digit number.
boris1
·5 jaar geleden·discuss
Hi, I am the author. I know, but I wanted to use something built-in in the browser. When the browser implements Curve25519 I will change the code.
boris1
·5 jaar geleden·discuss
I'm the author. No data is sent after dependencies have loaded. The "init()" function in the page runs right after. So you can use the Network debugger to see that nothing is sent anywhere.

I just don't think an ugly page can be useful for the layman. It has to be a nice and user friendly page, which means it would have a lot of design loaded as well. Use the "_bare" page if you want to customize it for your needs.