lagmoellertim / cryption Goto Github PK

Is your feature request related to a problem? Please describe.
By adding documentation, testing and enhancing the software will be much easier. Also, developers could use it to know what code is doing what.

Describe the solution you'd like
Documentation / Full Coverage

Describe the security flaw
Remove unwanted Dependencies to have more control over the code. Also use only well-known and proven libraries

How does this security flaw affect the software
More control over the code

Describe possible solutions
Remove unwanted Dependencies

The area displays the text “Click or drag file to this area to upload” and “Support for a single or bulk upload” In both cases, I understand a file is going to be uploaded to a server.

IMHO, this contradicts – or at least creates confusion with – the introductionary text stating “your Data is encrypted and decrypted securely in your browser”.

Only in the README file at Github it explicitely says “It does not upload data to any cloud”.

I suggest to use a different wording for “upload”, e.g. “encrypt”:

Click here or drag a file to this area to encrypt.
You can select or drag multiple files for batch encryption.
(Your data won’t leave your browser.)

(I also modified the English a bit, but of course that’s out of scope of this issue.)

Avoiding the word “upload” (or synonyms) would communicate it clearly that there is in fact no upload taking place.

As further suggestion, I added a sentence in brackets explicitely stating the data is not uploaded anywhere.

Check this: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2009/july/if-youre-typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/

Like I’ve been saying, if you have to type the letters “A-E-S” into your source code, you’re doing it wrong.

Seems many points shown there apply to cryption. How about first adding a disclaimer like this?

Add a password strength check in order to increase the security.

Describe the security flaw
Currently, Cryption is using a regex based Password Strength Check Algorithm. This, however, is not optimal, since it does not take password lists or known insecure passwords like "test1234" in account.

Possible Solution
The library "zxcvbn" should fix those problems.

Describe the security flaw
CryptoJS is outdated and not using the newest tech available.

How does this security flaw affect the software
Better security and faster encryption/decryption

Describe possible solutions
Replace CryptoJS with the WebCrypto API and use AES-GCM together with PBKDF2

Add field for confirm password before encrypt