building a web app that doesn t trust the server
play

Building a Web App that Doesnt Trust the Server Daniel Huigens - PowerPoint PPT Presentation

Mar 21, 2024 •132 likes •317 views

Securing ProtonMail: Building a Web App that Doesnt Trust the Server Daniel Huigens What do we want to achieve? Allow you to trust that we cant read your email Without trusting the server 2 How does our web app work? Normal

  1. Securing ProtonMail: Building a Web App that Doesn’t Trust the Server Daniel Huigens

  2. What do we want to achieve? • Allow you to trust that we can’t read your email • Without trusting the server 2

  3. How does our web app work? Normal web app Our web app Trust source code ? coming from the server Send password to the Use Secure Remote server Password protocol Trust data ? coming from the server Send data to the server Send data to the server unencrypted signed and encrypted using OpenPGP 3

  4. The JavaScript trust problem (I) • HTML, CSS and JavaScript are sent to the browser each time • The browser does what the server says • Server says: send me the password 4

  5. The JavaScript trust problem (II) • Could be hacked or rogue: • Employee • Hosting • Content Delivery Network (if used) • National Security Agencies • Corporate Network 5

  6. 6

  7. “ the funds were intercepted when the user made a payment ” “ how did this happen? ” 7

  8. Source Code Transparency • Hash the code at the source • Publish it somewhere • Verify that everyone gets the same code 8

  9. Certificate Transparency • Append-only log server • Gives you Signed Certificate Timestamp • Promises to publish the Certificate in the Log 9

  10. Service Workers • Sit “between web app and server” • Can read and block responses • Can even detect updates to the Service Worker itself 10

  11. All together now • Certificate goes in the Log Server • Able to verify that there's only one certificate Log Server • Hash goes in the certificate • ⇒ Everyone sees the same code 11

  12. How will our web app work? Normal web app Our web app Trust source code Verify source code coming from the server coming from the server Send password to the Use Secure Remote server Password protocol Trust data ? coming from the server Send data to the server Send data to the server unencrypted signed and encrypted using OpenPGP 12

  13. Key distribution solutions • In-person exchange / verification • Key Signing parties • Web of Trust 13

  14. Key Transparency • Publish all keys • Make sure that everyone sees the same keys • Everyone checks their own key • ⇒ All keys can be trusted 14

  15. Merkle tree Root Node Hash(Node 0 + Node 1) Node 0 Node 1 Hash(0-0 + 0-1) Hash(1-0 + 1-1) … … 256 steps … Node 0-0-…-0 Node 1-1-…-0 Node 0-0-…-1 Node 1-1-…-1 Hash(Empty Node) Hash(Empty Node) Hash(Fingerprint) Hash(Fingerprint) [0-0-…-1, proof] == VerifiableRandomFunction(EmailAddress) 15

  16. How will our web app work? Normal web app Our web app Trust source code Verify source code coming from the server coming from the server Send password to the Use Secure Remote server Password protocol Trust data Verify data coming from the server coming from the server Send data to the server Send data to the server unencrypted signed and encrypted using OpenPGP 16

  17. Thanks! Questions? Contact Us! Daniel Huigens Cryptography Engineer d.huigens@protonmail.com PGP Key ID: F7D8FA8EC9D526EC news.ycombinator.com/user?id=protonmail reddit.com/r/ProtonMail protonmail.com

Recommend

A Django TR-069 ACS Server The hows and whys of building an ACS server into an existing Django

A Django TR-069 ACS Server The hows and whys of building an ACS server into an existing Django

A Django TR-069 ACS Server The hows and whys of building an ACS server into an existing Django based provisioning and CRM system. May contain traces of XML. Thomas Steen Rasmussen DjangoCPH Day 2018 Shameless When not working with TR-069 I

1.14k views • 69 slides
Deploying Citrix MetaFrame Presentation Server 3.0 with Windows Server 2003 Terminal Services

Deploying Citrix MetaFrame Presentation Server 3.0 with Windows Server 2003 Terminal Services

Deploying Citrix MetaFrame Presentation Server 3.0 with Windows Server 2003 Terminal Services Melissa Craft Click here if your download doesn"t start automatically Deploying Citrix MetaFrame Presentation Server 3.0 with Windows Server 2003

82 views • 5 slides
Public Trust Manitoba Agriculture Industry Consultation July 12 th , 2016 Trust is becoming a

Public Trust Manitoba Agriculture Industry Consultation July 12 th , 2016 Trust is becoming a

Building Public Trust Manitoba Agriculture Industry Consultation July 12 th , 2016 Trust is becoming a defining issue for the entire Canadian food supply chain Building Public Trust a key to our industrys future Young adults

477 views • 20 slides
Trust Enabled Supply Networks Uncovering the trust-building secrets of highly collaborative

Trust Enabled Supply Networks Uncovering the trust-building secrets of highly collaborative

Third Annual Symposium on Supply Chain Management Toronto, September 2005 Trust Enabled Supply Networks Uncovering the trust-building secrets of highly collaborative supply chains. Alex Todd, President & CEO, Trust Enabling Strategies

379 views • 33 slides
Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital

Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital

Anna Building a secure Kennedy bastion, or, 50 @anna_ken_ ways to kill your server Telenor Digital What is a bastion (jumpbox) ? Outside world bastion server server server What do we mean by secure? How do we make a custom AMI?

231 views • 20 slides
Building Trust with Job Seekers and Their Families Thursday, August 10, 2017 Advancing your

Building Trust with Job Seekers and Their Families Thursday, August 10, 2017 Advancing your

8/10/17 Building Trust with Job Seekers and Their Families Thursday, August 10, 2017 Advancing your professional career Improving Employment outcomes of job seekers Agenda v Announcements v Growing the Blue Zone check-in v Building Trust v A

632 views • 13 slides
Welcome Building Trust Dr. Andrew Rahaman - Key Executive Leadership Programs American Univ. 1

Welcome Building Trust Dr. Andrew Rahaman - Key Executive Leadership Programs American Univ. 1

4/23/2020 Enhancing our understanding of trust in the workplace by exploring what is necessary to gain, maintain and regain trust Welcome Building Trust Dr. Andrew Rahaman - Key Executive Leadership Programs American Univ. 1 1 Quiz 1

603 views • 26 slides
The Ontario Heritage Trust Rehabilitation of the Birkbeck Building in Toronto Birkbeck Building

The Ontario Heritage Trust Rehabilitation of the Birkbeck Building in Toronto Birkbeck Building

Olivia Ashton CDNS 4403-5003 Sustainable Heritage Case Study Class Presentation Nov. 28, 2017 The Ontario Heritage Trust Rehabilitation of the Birkbeck Building in Toronto Birkbeck Building Faade. Source: Taylor, D. (2014, October 26).

145 views • 12 slides
Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers

Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers

Why Why Google Google Shopping doesn't Shopping doesn't work work for for many many retailers retailers Liam Patterson Founder & CEO Show of hands? Q: Who is actively running Google Shopping ? About You 27% of SHOPPERS 27% of

573 views • 30 slides
Building and Losing Trust in Introduction Trust, Ambient Intelligent Sofware Applications

Building and Losing Trust in Introduction Trust, Ambient Intelligent Sofware Applications

Tutorial 1 Building and Losing Trust in Introduction Trust, Ambient Intelligent Sofware Applications Confidence, Familiarity Explanations Context Jrg Cassens Tutorial 2 SoSe 2018 Contextualized Computing and Ambient Intelligent Systems

1.18k views • 107 slides
Building trust with consumers is foundation to the kind of engagement were seeking for Precision

Building trust with consumers is foundation to the kind of engagement were seeking for Precision

Building trust with consumers is foundation to the kind of engagement were seeking for Precision Health. The adoption and adherence to a set of universal principles called Fair Information Practices, or FIPs, will help establish that trust.

385 views • 14 slides
Building Trust in Groups FOCUS ON FACILITATION COMMUNITY OF PRACTICE MAY 15, 2019 BARB BICKFORD

Building Trust in Groups FOCUS ON FACILITATION COMMUNITY OF PRACTICE MAY 15, 2019 BARB BICKFORD

Building Trust in Groups FOCUS ON FACILITATION COMMUNITY OF PRACTICE MAY 15, 2019 BARB BICKFORD Introductions Your name Your affiliation One way you foster trust in groups Todays objectives Share models of trust Be aware

341 views • 22 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
( Recent Developments in Server Authen;ca;on) Trevor Perrin

( Recent Developments in Server Authen;ca;on) Trevor Perrin

Transparency, Trust Agility, Pinning ( Recent Developments in Server Authen;ca;on) Trevor Perrin <trevp@trevp.net> Cer;ficate Authori;es CA Web server requests

615 views • 40 slides
Building with Nature Jenny Stuart Building with Nature Assessor Cornwall Wildlife Trust

Building with Nature Jenny Stuart Building with Nature Assessor Cornwall Wildlife Trust

Building with Nature Jenny Stuart Building with Nature Assessor Cornwall Wildlife Trust Introduction What is Building with Nature? How does Building with Nature work? Case Studies How Building with Nature might be

364 views • 21 slides
Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

E LIOM Tierless Web programming from the ground up Gabriel R ADANNE Jrme V OUILLON Vincent B ALAT Vasilis P APAVASILEIOU Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server DOM 2 2 / 22 1

778 views • 42 slides
Elizabeth Perkins HERITAGE TRUST NETWORK (formerly UK Association of Building Preservation

Elizabeth Perkins HERITAGE TRUST NETWORK (formerly UK Association of Building Preservation

Elizabeth Perkins HERITAGE TRUST NETWORK (formerly UK Association of Building Preservation Trusts) HERITAGE TRUST NETWORK HERITAGE TRUST NETWORK is the umbrella body for any not-for-profit groups tackling historic buildings and heritage

321 views • 18 slides
Building trust with stakeholders: the English institutional perspective Ruth Farwell Director

Building trust with stakeholders: the English institutional perspective Ruth Farwell Director

Building trust with stakeholders: the English institutional perspective Ruth Farwell Director and Chief Executive Buckingham nghamshi hire C e Chilterns ns UNIVE VERSI SITY C Y COLLEGE Real versus Regulated * TRUST RESPONSIBILITY

65 views • 5 slides
Building Consumer Trust and Stakeholder Support in Choice for Hen Housing Charlie Arnot

Building Consumer Trust and Stakeholder Support in Choice for Hen Housing Charlie Arnot

Building Consumer Trust and Stakeholder Support in Choice for Hen Housing Charlie Arnot CharlieA@LookEast.com Building Consumer Trust and Stakeholder Support SUCCESS IS A range of egg choices continues to be available, as determined by

600 views • 24 slides
Building with Nature Jenny Stuart Building with Nature Assessor Cornwall Wildlife Trust What

Building with Nature Jenny Stuart Building with Nature Assessor Cornwall Wildlife Trust What

Building with Nature Jenny Stuart Building with Nature Assessor Cornwall Wildlife Trust What is green infrastructure? Multifunctional green spaces Strategic Connected Networks Includes established and new features

287 views • 17 slides
Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Chanwoo Chung , Jinhyung Koo, Junsu Im, Arvind , and Sungjin Lee DGIST and MIT NVRAMOS 19 2019.10.24 DATA -INTENSIVE COMPUTING SYSTEMS LAB ORATORY Computation Application Application Application Application Application

597 views • 48 slides
Building Trust with Job Seekers and Their Families Thursday,

Building Trust with Job Seekers and Their Families Thursday,

Building Trust with Job Seekers and Their Families Thursday, September 13, 2018 Advancing your professional career Improving Employment outcomes of job

509 views • 23 slides
BOURBON I n v e s t o r P r e s e n t a t i o n M a y 2014 BUILDING TOGETHER A SEA OF TRUST

BOURBON I n v e s t o r P r e s e n t a t i o n M a y 2014 BUILDING TOGETHER A SEA OF TRUST

BOURBON I n v e s t o r P r e s e n t a t i o n M a y 2014 BUILDING TOGETHER A SEA OF TRUST DISCLAIMER This document may contain information other than historical information, which constitutes estimated, provisional data concerning the

665 views • 43 slides
Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password

Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password

Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password reset token -Session id -Random password -REST API Key ... For example: PHP uniqid() Gets a prefixed unique identifier based on the current

371 views • 14 slides

More recommend