security.en.md 1.81 KB
Newer Older
1
2
+++
title = "Security"
Aral Balkan's avatar
Aral Balkan committed
3
weight = "30"
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
+++

Indienet apps based on Indienet Engine are hosted on a server and accessed through clients. The default client is a web client that is, itself, served by the server.

Depending on how the app is installed and hosted, different security threats will exist.

In order to be entirely sure of the security of the end-to-end encryption of private messages, you would have to:

  1. Install the app from source yourself (to verify that it was not tampered with)
  2. Host the server on hardware that you have physical control over (to verify that it is not tempered with by the third-party host)

In such a scenario, you can be reasonably certain that the client that is being served is the one that you intend to be served.

This, however, is a negligible use case for Indienet apps, which will mostly be installed, hosted, and updated by third-party hosts.

Just like any web app, this means that we must trust the host not to:

  1. Add a back door to the source and serve a malicious client (with which they could, for example, capture your password, etc.)
  2. Not to update to a malicious version sometime in the future (a web server could serve you a different client on each connection)

Aral Balkan's avatar
Aral Balkan committed
24
While these issues are blatantly apparent for web clients, they are also faced by native apps today in a world of App Stores and automatic updates.
25

26
27
28
29
30
## Spikes

  * Documentation: [/spikes/security](/spikes/security)
  * Source: https://source.ind.ie/indienet/spikes/security

31
32
33
34
35
## Resources

  * [End-To-End Web Crypto: A Broken Security Model](https://www.indolering.com/e2e-web-crypto/)
  * [What’s wrong with in-browser cryptography?](https://tonyarcieri.com/whats-wrong-with-webcrypto)
  * [A Few Thoughts on Cryptographic Engineering](https://blog.cryptographyengineering.com/2013/06/17/how-to-backdoor-encryption-app/)