Comments (7)
oops. I didn't realize that this issue is on scuttlebutt. I thought we where talking about https://github.com/dominictarr/secure-scuttlebutt.
You are correct, this is insecure. We did experiment with securing this https://github.com/dominictarr/scuttlebutt/blob/master/security.js
Ideas which where further developed in the new project, secure-scuttlebutt which IS secure, as I described.
from scuttlebutt.
@pocesar secure-scuttlebutt uses signatures and hashes.
If you know the hash of my public key, then you can verify the messages I post.
Messages are arranged to a chain like in bitcoin, but with signatures instead of proof of work.
(so we each get our own personal chain) the first message in the chain contains the public key,
and every message after that contains the hash of the previous message.
Since a mitm cannot interfere with a message, because the signature would be wrong, and could not leave out a message, because there would be a gap in the chain of messages. They cannot just give you a different chain, because you already know the hash the public key would have.
The worst they could do, is pretend they don't know about new messages from a feed, this would only delay the time until you are able to get them, since you might hear about those messages from other nodes instead.
from scuttlebutt.
@dominictarr I see, so it would be able to hold encrypted personal data without having to worry about it being tampered? (using secure-scuttlebut that is). And does it have a way to use "authority" nodes, that have more height than another, to ensure integrity? or it's not needed?
from scuttlebutt.
Basically, secure-scuttlebutt (data layer) and scuttlebot (networking layer) and phoenix (user interface layer) are built on some of the ideas in this repo, and most importantly, add a lot of security.
Even in the original experiments (see the ./security.js file) messages where signed, but a mitm could still drop messages, so you can't know whether you have the entire set... However, in the new projects, this is not possible.
from scuttlebutt.
@dominictarr so secure-scuttlebut is enough to keep personal data encrypted but replicated?
from scuttlebutt.
@pocesar no, there is no encryption, just signatures and hashes. It's focus is on replicating data securely, and then privacy may be implemented atop of that, by encrypting the messages that are securely replicated.
from scuttlebutt.
@dominictarr thanks for the info, this is a clever piece of software ;) I'll be using secure-scuttlebut on a sidechain open source module, that's why all the questions, because blockchains per se are very secure the way they are designed, and I wouldn't want to add a layer on top of it just to be the weak side
from scuttlebutt.
Related Issues (20)
- Very large messages getting clipped? HOT 17
- Scuttlebutt#clone requires your scuttlebutts use constructor functions, don't take arguments or require modification on an instance HOT 5
- Pub/Sub broker on top of Scuttlebutt HOT 2
- Automatic network setup HOT 3
- Handling object references HOT 7
- Syncing trees HOT 1
- how to use it with peer to peer network settings(not client server)? HOT 34
- Does scuttlebutt/events omit events? HOT 2
- Documentation , dosnt include client side code for connecting to a tcp server HOT 2
- Documentation , dosnt include client side code for connecting to a tcp server
- Example data structure for rich text editing HOT 8
- Integrate scuttlebutt with Meteor HOT 1
- Will time stamp precision be an issue? HOT 4
- Building a singleton P2P network for syncing Scuttlebutts? HOT 2
- Sharding HOT 1
- Data sync issue HOT 3
- Encrypted message to all friends
- There is no `sync` event on SB or Model? HOT 3
- App Crashes When Open -MACOS
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scuttlebutt.