MozillaWiki

Labs/Weave/Developer/Crypto: Difference between revisions

Page Discussion

Labs/Weave/Developer/Crypto (view source)

Revision as of 06:35, 8 February 2010

3 bytes removed ,  8 February 2010
m
typo fix
m (typo fix)
 
Line 37: Line 37:
Fortunately, I’ve already figured out most of the details for you – check out my [http://hg.mozilla.org/labs/weaveweb/file/tip/weave.js#l163 Javascript] or [http://hg.mozilla.org/users/anarayanan_mozilla.com/weave-proxy/file/tip/crypto/ PHP] implementations of the crypto elements required to decrypt Weave Basic Objects.
Fortunately, I’ve already figured out most of the details for you – check out my [http://hg.mozilla.org/labs/weaveweb/file/tip/weave.js#l163 Javascript] or [http://hg.mozilla.org/users/anarayanan_mozilla.com/weave-proxy/file/tip/crypto/ PHP] implementations of the crypto elements required to decrypt Weave Basic Objects.


Finally, a quick note about why we do all this. Sharing is now reasonably easy, if you want to share your bookmarks with someone, you just need to encrypt the corresponding symmetric key with their public key and they’re good to go. Also, each WBO has it’s own ‘encryption’ property so this can be as granular as needed. Secondly, the passphrase is never stored anywhere (except possibly on the user’s computer) so the server never sees anything other than encrypted blobs of Base64′ed text. Along with making HTTPS mandatory, we think this is a pretty secure way of protecting the user’s data.
Finally, a quick note about why we do all this. Sharing is now reasonably easy, if you want to share your bookmarks with someone, you just need to encrypt the corresponding symmetric key with their public key and they’re good to go. Also, each WBO has its own ‘encryption’ property so this can be as granular as needed. Secondly, the passphrase is never stored anywhere (except possibly on the user’s computer) so the server never sees anything other than encrypted blobs of Base64′ed text. Along with making HTTPS mandatory, we think this is a pretty secure way of protecting the user’s data.


If you have other encryption schemes that might fit into Weave’s use cases please let us know! (We’ve already been looking at interesting developments in this area such as [http://allmydata.org/~warner/pycon-tahoe.html Tahoe]). I’d also love to hear from you if you have any questions on our current cryptography scheme. We’re constantly trying to improve the security and efficiency of our system so these details are only valid until we change our scheme :-)
If you have other encryption schemes that might fit into Weave’s use cases please let us know! (We’ve already been looking at interesting developments in this area such as [http://allmydata.org/~warner/pycon-tahoe.html Tahoe]). I’d also love to hear from you if you have any questions on our current cryptography scheme. We’re constantly trying to improve the security and efficiency of our system so these details are only valid until we change our scheme :-)
Jeffq
1

edit

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/200527"