Spanking ideas - a convenient and secure web-manager of hidden text notes with javascript
Dear professionals and fans of information security!
I want to discuss with you this interesting question. The following idea came to my mind for a convenient and secure web manager for hidden text notes. Is she as good as I think? Or somewhere there is a catch, and I missed something? I will be glad to your opinion.
So.
')
Web service for managing text notes (documents). As convenient and safe as possible.
As such, the service has no “accounts”. The server stores a set of notes with the following properties:
- email author
- encrypted content
- metadata (date of change, etc.).
The man opens the web page with the service. If a person does not have cookies, the page asks for email.
Further, if this email has not been previously used on this device, the service sends a link to this address for device validation. The link, of course, becomes obsolete in a short amount of time.
After successful validation, the page remembers the email bundle on the device (puts a cookie).
A set of encrypted notes is loaded.
All further - the work of the local javascript, without accessing the server.
Page asks for a password.
With the help of a password notes are decrypted. The actual interface for working with notes appears. About him we will not, there everything can be done beautifully and conveniently. (The question is now on the technical side).
When creating or modifying, the note is encrypted (using a password stored in the javascript variable, or in paranoid mode, you can again ask for the password) and the encrypted is sent to the server.
Of course, ssl, no cache, and everything else.
I get access to notes from the computer, from the phone, from the guests.
I can be sure that my notes are inaccessible to anyone except me. If someone tries to log in with my email, I’ll receive a message that I’ll reject.
If someone hacks into my email and gets access to my notes (can validate his device), then in order to read the notes, you still need a master password.
The password is used only to decrypt the notes (in other words, the wrong password will simply lead to porridge on the screen).
Service makes sense to do open-source, so you can put yourself on the server. This solves the problem of trusting someone else's server.
While writing the text, here came the thought. Since the service does not store the password anywhere (no hash, nothing), then - so conceived - he does not know whether the correct password was entered. How to avoid a situation where I entered the wrong password, got an unreadable mess in a note, and saved it back to the server? Need to think.
Thank you for reading! I will be glad to your thoughts and in general any feedback.
I want to discuss with you this interesting question. The following idea came to my mind for a convenient and secure web manager for hidden text notes. Is she as good as I think? Or somewhere there is a catch, and I missed something? I will be glad to your opinion.
So.
')
Purpose.
Web service for managing text notes (documents). As convenient and safe as possible.
Requirements
- Web access - the ability to access from anywhere
- The ability to import / export notes
- On the server (in the exported file) only notes are stored, only in encrypted form.
- Version for local use (to avoid the risk of hacking the server and replacing the javascript)
- The password is not stored anywhere in any way.
What is the essence of the idea?
As such, the service has no “accounts”. The server stores a set of notes with the following properties:
- email author
- encrypted content
- metadata (date of change, etc.).
The man opens the web page with the service. If a person does not have cookies, the page asks for email.
Further, if this email has not been previously used on this device, the service sends a link to this address for device validation. The link, of course, becomes obsolete in a short amount of time.
After successful validation, the page remembers the email bundle on the device (puts a cookie).
A set of encrypted notes is loaded.
All further - the work of the local javascript, without accessing the server.
Page asks for a password.
With the help of a password notes are decrypted. The actual interface for working with notes appears. About him we will not, there everything can be done beautifully and conveniently. (The question is now on the technical side).
When creating or modifying, the note is encrypted (using a password stored in the javascript variable, or in paranoid mode, you can again ask for the password) and the encrypted is sent to the server.
Of course, ssl, no cache, and everything else.
How do i like it all
I get access to notes from the computer, from the phone, from the guests.
I can be sure that my notes are inaccessible to anyone except me. If someone tries to log in with my email, I’ll receive a message that I’ll reject.
If someone hacks into my email and gets access to my notes (can validate his device), then in order to read the notes, you still need a master password.
The password is used only to decrypt the notes (in other words, the wrong password will simply lead to porridge on the screen).
Service makes sense to do open-source, so you can put yourself on the server. This solves the problem of trusting someone else's server.
Fly in the ointment
While writing the text, here came the thought. Since the service does not store the password anywhere (no hash, nothing), then - so conceived - he does not know whether the correct password was entered. How to avoid a situation where I entered the wrong password, got an unreadable mess in a note, and saved it back to the server? Need to think.
Thank you for reading! I will be glad to your thoughts and in general any feedback.
Source: https://habr.com/ru/post/165801/
All Articles