348
edits
Labs/Weave/Crypto: Difference between revisions
no edit summary
No edit summary |
|||
| Line 1: | Line 1: | ||
= Overview = | |||
The Weave services were designed to be safe enough to store the same information that lives on your personal computer or device. For the Sync application, this includes the password file, browsing history, and form history of your browser. | |||
Our goal was to make sure that we <i>could not</i> disclose this information. To make this happen, we employed a layer of client-side encryption that is beyond what normal websites employ. | |||
The Weave passphrase is what makes this work. Remember, your browser knows your passwords and form history already: it's all decrypted, in your local memory. Using the passphrase, we encrypt your information <b>on your local computer</b>. We then use industry-standard SSL to relay the encrypted information to the server. Your Weave account, which keeps the encrypted data organized, is protected by the username-password you select. (In practice, we actually end up using an encrypted key chain, which allows other devices to decrypt your information, once they have your passphrase: more details below). | |||
So, if somebody were able to get your username and password, all they could get is your encrypted data records. They would then need to know your passphrase to decrypt your data. Now, getting access to the encrypted data could enable certain kinds of analysis, so it's important to keep your password safe, but the passphrase is the really important key. | |||
None of this removes the need for good personal computer security, of course! We strongly recommend that you enable a Master Password for your Firefox, which causes your passwords and form history to be encrypted; this will protect you if your computer is stolen or is infected with a trojan. We also strongly recommand that you only run addons from trusted sources, as Firefox addons have broad access to sensitive data through internal APIs. If you're interested in our efforts to create a more secure internal API for addons, please check out the [http://mozillalabs.com/Jetpack Jetpack] project. | |||
= Super-short summary for experienced Crypto developers: = | = Super-short summary for experienced Crypto developers: = | ||
| Line 34: | Line 47: | ||
If you have other encryption schemes that might fit into Weave’s use cases please let us know! (We’ve already been looking at interesting developments in this area such as [http://allmydata.org/~warner/pycon-tahoe.html Tahoe]). I’d also love to hear from you if you have any questions on our current cryptography scheme. We’re constantly trying to improve the security and efficiency of our system so these details are only valid until we change our scheme :-) | If you have other encryption schemes that might fit into Weave’s use cases please let us know! (We’ve already been looking at interesting developments in this area such as [http://allmydata.org/~warner/pycon-tahoe.html Tahoe]). I’d also love to hear from you if you have any questions on our current cryptography scheme. We’re constantly trying to improve the security and efficiency of our system so these details are only valid until we change our scheme :-) | ||
---- | ---- | ||
Original text by Anant, October 11, 2009, posted at http://www.kix.in/blog/2009/10/how-does-weave-use-cryptography/ | Original text by Anant, October 11, 2009, posted at http://www.kix.in/blog/2009/10/how-does-weave-use-cryptography/ | ||