Protected text messaging service
Once, lying on the couch, drinking tea, I realized that I needed to create a service for the safe exchange of textual information. Realizing the significance of this case, I approached him thoroughly. Couch, realizing the importance of this action decided to help me in this. Together, focusing and overwhelming sleep, we created a wonderful open source site. Sources can be viewed here , and here (all on Github).
The main features that I have achieved:
Data encryption in the browser is provided by the standard browser library. The data is encrypted by the algorithm in the form of the frog Pepe. Source code is available on github. The server part is not written.
')
A little bit about the encryption algorithm. We do not send anything to the server, becausewe are too lazy, and we don’t want to buy a server, we use the client, as a keeper of information, and we encrypt everything right inside the link! It is also necessary to remember the password so that we can read the url data.
Many such services use the AES algorithm for encryption, we decided not to depart from the canon, but were reinsured by encrypting the original string several times in the following sequence:
Moving, from top to bottom, from left to right, we interpreted each letter in the picture as a specific function and encrypted each time our string with a new function to be sure:
The image of the frog Pepe seemed to us the most optimal for these purposes.
The result was the following site:
After a short wait, we received a link and a password to the message:
As you see, we have foreseen that a screenshot of the screen is possible, but the attacker in this case will not be able to see either the link or the entire password, which will not allow him to decrypt our message. Also, the password is protected from possible social engineering (since the situation will not turn out that the user's password will coincide with the existing one), and the password will be protected from gangster cryptanalysis (popularly rectal), because the user will simply forget the password if he even thinks about rectal cryptanalysis for a minute .
After entering the password, when a user clicks a link, he expects a message that should be closed immediately after reading:
Once again, we do not send any data to the server, so that in case of a server hacking, the data could not be stolen. Thinking about it, we decided to make the code as understandable as possible for people and used the VanillaJS framework for these purposes (you can familiarize yourself with its main features on the site). We put all the code inside index.html for clarity and compactness.
I will be glad to comments and reviews about the library. Also, if you have ideas for improvement, please voice them.
The main features that I have achieved:
- High download speed
- If you specify a password, the information is encrypted directly in the browser and only nothing is stored on the server. To view the data, you need to enter a password to decrypt non-server data in the browser.
- High CPU usage
- Search engines are not allowed to index the contents of the site, because there is no site
- Https everywhere
Data encryption in the browser is provided by the standard browser library. The data is encrypted by the algorithm in the form of the frog Pepe. Source code is available on github. The server part is not written.
')
A little bit about the encryption algorithm. We do not send anything to the server, because
Many such services use the AES algorithm for encryption, we decided not to depart from the canon, but were reinsured by encrypting the original string several times in the following sequence:
Moving, from top to bottom, from left to right, we interpreted each letter in the picture as a specific function and encrypted each time our string with a new function to be sure:
- letter O: AES-CTR
- letter M: AES-CBC
- letter z: AES-GCM
The image of the frog Pepe seemed to us the most optimal for these purposes.
The result was the following site:
After a short wait, we received a link and a password to the message:
As you see, we have foreseen that a screenshot of the screen is possible, but the attacker in this case will not be able to see either the link or the entire password, which will not allow him to decrypt our message. Also, the password is protected from possible social engineering (since the situation will not turn out that the user's password will coincide with the existing one), and the password will be protected from gangster cryptanalysis (popularly rectal), because the user will simply forget the password if he even thinks about rectal cryptanalysis for a minute .
After entering the password, when a user clicks a link, he expects a message that should be closed immediately after reading:
Once again, we do not send any data to the server, so that in case of a server hacking, the data could not be stolen. Thinking about it, we decided to make the code as understandable as possible for people and used the VanillaJS framework for these purposes (you can familiarize yourself with its main features on the site). We put all the code inside index.html for clarity and compactness.
I will be glad to comments and reviews about the library. Also, if you have ideas for improvement, please voice them.
Source: https://habr.com/ru/post/329088/
All Articles