You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since we have "end-to-end" encryption now, we might actually get around all server-side authentication and therefore the current security risk of having to trust the server admin to not use modified code that initially logs your password (see here).
Currently, a note will only be returned by the server, if the user passes a correct password. Instead, we could simply return every note, since only a user with the right decryption key can make sense of it.
Only problem: this would be perfectly reasonable with "proper", bullet-proof encryption. Since we're using a user-generated password for encryption, though, it will potentially make things more prone to brute-force attacks where users are using too simple passwords.
Any thoughts?
The text was updated successfully, but these errors were encountered:
Since we have "end-to-end" encryption now, we might actually get around all server-side authentication and therefore the current security risk of having to trust the server admin to not use modified code that initially logs your password (see here).
Currently, a note will only be returned by the server, if the user passes a correct password. Instead, we could simply return every note, since only a user with the right decryption key can make sense of it.
Only problem: this would be perfectly reasonable with "proper", bullet-proof encryption. Since we're using a user-generated password for encryption, though, it will potentially make things more prone to brute-force attacks where users are using too simple passwords.
Any thoughts?
The text was updated successfully, but these errors were encountered: