webext-signed-pages
CryptPad
webext-signed-pages | CryptPad | |
---|---|---|
16 | 183 | |
180 | 5,230 | |
- | 2.1% | |
0.0 | 9.9 | |
over 1 year ago | 1 day ago | |
JavaScript | JavaScript | |
BSD 3-clause "New" or "Revised" License | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
webext-signed-pages
-
E2EE on the web: is the web that bad?
There is "Signed Pages" by the debeloper of EteSync. It is a browser extension, that checks webapps based on signatures in the html file. The addon then warns the user if the signature is not correct or - if I remember correctly - the source changed. This allows you to be sure what webapp code was delivered. But it seems like it did not really get used outside of his own projects. https://github.com/tasn/webext-signed-pages
-
Cloudflare and CDNs - call for community opinions
EteSync has implemented something called Signed Pages, this might be worth looking closer at. This uses PGP keys which is preloaded into the browser; but I suspect that will be a barrier too high for most non-tech users.
- Is there any tool to verify client-side website code you get served is the same as the open source version?
-
Truly safe?
There are also projects like signed web pages which can also help increasing the trust level to some degree. But that requires that you can download the source code and regenerate the verification hash locally - or have other trusted methods to verify the hash value hasn't been modified as well. The current concept is reasonably sane, but it requires too much from users currently to make it widely used.
- A browser that verifies Javascript
-
Security experts declare all Proton apps secure after security audit
> The server can at any time start serving malicious payloads
True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different).
In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers don't natively have a nice way of pinning specific versions of a web app, but there is the clever hack of SecureBookmarks[0] (if you're prepared to sacrifice the UX), or, more realistically, you can pin the web app version using some sort of browser extension.
Examples of the latter include the Signed Pages extension[1], and Code Verify[2], which is the result of a collaboration between Meta and Cloudflare (for securing the WhatsApp Web code, currently, but should eventually support other sites like Proton's too). Of course, it would be much better if this capability was natively included in browsers themselves, but hopefully adoption of this technology will pressure browsers and standards bodies to take ownership of this.
[0] https://coins.github.io/secure-bookmark/
[1] https://github.com/tasn/webext-signed-pages
[2] https://github.com/facebookincubator/meta-code-verify
-
ProtonMail Is Inherently Insecure, Your Emails Are Likely Compromised
Something like a browser extension for this does already exist, fortunately:
https://github.com/tasn/webext-signed-pages
-
"Were you able to subpoena ProtonMail?"
In regards to untrusted webapp, yes, that is a reasonable attack vector. That said, I've heard from ProtonMail they have been considering to implement Signed Pages to help mitigate (at least some of the) issues with this attack vector.
-
Proton’s priorities
Which is why it is important to get proper E2E encryption on e-mail, where the source is open source and can be audited. And then that there are verify mechanisms to verify that the source code has not been manipulated. For web services there are signed-pages which is quite interesting.
CryptPad
-
Browse Self-Hosted Software
In my frustration with MS Office, I gave it a chance and searched for MS Office alternatives ... and found https://github.com/cryptpad/cryptpad ! Looks quite nice. Maybe I should set that up on a server.
-
Google suspends romance author's account for writing sexually explicit content
https://cryptpad.org/
There's a public instance in France to try it out.
-
🔍Underrated Open Source Projects You Should Know About 🧠
CryptPad provides a full-fledged office suite with all the tools necessary for productive collaboration.
-
Ask HN: What Underrated Open Source Project Deserves More Recognition?
I discovered these 3 amazing projects recently:
Cryptpad, essentially google docs/sheets/forms e2e encrypted. It does include collaboration. https://github.com/cryptpad/cryptpad
Immich, google photos self hostable, with share options https://github.com/immich-app/immich
Nginxproxymanager manages certificates and proxies to self hosted stuff through nginx https://github.com/NginxProxyManager/nginx-proxy-manager
Great self hosting stuff!
-
Edit This Blog Post
I work for XWiki SAS. Two products we develop have it:
- XWiki, a extensible wiki platform, experimentally [1] but soon to be fully supported
- CryptPad [2], an end-to-end encrypted collaborative platform. And actually, CryptPad was accidentally born as a first attempt to have this feature in XWiki.
[1] https://extensions.xwiki.org/xwiki/bin/view/Extension/Realti...
[2] https://cryptpad.org/
-
Google Docs adds tracking to links in document exports
Hey, very happy to see you so enthusiastic!
I'll be sure to transmit your feedback to the CryptPad team.
I'm not an expert myself so while I might know some stuff, it'd be better to talk to them directly.
Come say hello on the Matrix #cryptpad-general channel [1], don't hesitate to open issues on the bug tracker, and to browse the CryptPad's website [2].
[1] https://matrix.to/#/#cryptpad-general:matrix.xwiki.com
[2] https://cryptpad.org/
- Collabora / Onlycloud/ libreoffice online
-
Looking for a team collaboration spreadsheet software
https://cryptpad.org https://cryptpad.fr
-
Google reverses 5M file limit in Google Drive
It's not LibreOffice, but while revisiting CryptPad (which I thought was a multiplayer notepad like etherpad or codimd, except with an encryption key in the url fragment identifier) I was impressed to see that they're expanding to become an entire office suite. You get a WYSIWYG editor (I'd rather wish for markdown but ok), spreadsheet editor, survey forms, and more which I don't remember, all live like google docs but (as I understand it, I didn't audit it) end to end encrypted between the users. It's a bit sluggish because everything has to happen on the client side, so it's a lot of JavaScript, but after the page loads it works smoothly. You can self host it as well, there's a list of instances somewhere on https://cryptpad.org with the official instance being https://cryptpad.fr
LibreOffice has a ton more features and is way harder to port. Case in point: I was at an open source conference where LibreOffice proudly demo'd their new server version, saying it used mapnik. Me, confused, asked huh why'd you use an OpenStreetMap rendering library? Turns out they basically run the ancient C++ UI on the server and make a VNC-like connection and that map tiles is the easiest or fastest way to load the screen. At least, that's what I remember from that presentation, I haven't looked into that madness further, but that's LibreOffice online...
-
suckless collaborative text editing like google docs
Currently I'm looking at https://cryptpad.org/. But maybe there is an alternative that sucks even less?!
What are some alternatives?
photos-app - ➡️ Moved to https://github.com/ente-io/ente
Nextcloud - ☁️ Nextcloud server, a safe home for all your data
mailvelope - Browser extension for OpenPGP encryption with Webmail
Etherpad - Etherpad: A modern really-real-time collaborative document editor.
frame - System-wide Web3 for macOS, Windows and Linux
ONLYOFFICE - ONLYOFFICE Docs is a free collaborative online office suite comprising viewers and editors for texts, spreadsheets and presentations, forms and PDF, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.
pacman-bintrans - Experimental binary transparency for pacman with sigstore and rekor
PrivateBin - A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.
leCrypt-web-extension - leCrypt is a decentralised password manager which is cross-platform, free and secure.
HedgeDoc - HedgeDoc - Ideas grow better together
proton-mail - React web application to manage ProtonMail
Nginx Proxy Manager - Docker container for managing Nginx proxy hosts with a simple, powerful interface