Comments (5)
I think Signal did not solve issue when you create E2E encrypted share (or chat for signal) and add some participations later - they will not be able to see previous messages also because keys were not add before.
I mean in group shares added some users later should leads to re-encrypt all files in folder with a new keys, otherwise new users will not be able to see content of the files saved before time they were added as participations.
If Server can sign and validate users keys, could give NC opportunity to do key management - server can refuse access with "invalid" keys (e.g. if it was revoked from e.g. the user, or server side). But server key must not be used to do encryption/decryption of the files - so it should not solve issue from above.
from end_to_end_encryption.
Thank you for your detailled and good enhancement idea.
We will consider this and need to figure out how big the technical impact of this is.
First there are some other enhancements, like sharing, needed to be implement.
from end_to_end_encryption.
You're most welcome! Keep up the great work!
from end_to_end_encryption.
Hi @ardevd, thanks for you consideration ... for now let's try to improve the current protocol :-)
from end_to_end_encryption.
I think this has various problems which makes the "Signal protocol" unusable. For example if you set up a new device you want to be able to access your already stored files but this is not possible if the key wasn't known when the file where encrypted. Also sharing would rise many additional questions.
Also you could argue that it makes it less secure (or to complicated for many users):
Right now if a attacker set up a new device they need your username, login password and the password of your private key to access your files. In the future we might even provide a "paranoid mode" where the private key is not stored on the server so they would even need the private key.
With the "Signal approach" either every new device could connect to your encrypted files (if you solve the backward compatibility problem, which you would have to solve somehow) as soon as the attacker manage to hack the user name and password or you would need extra steps to verify new devices. Which would be for many users to complicated and would come with it's extra set of question (e.g. verifying new devices in the web interface wouldn't work because the attacker knows your login credentials at this point in time, another already connected device could lead to data lost if you have to replace your broken mobile phone for example, etc)
So I think a more "GPG like" approach with per user keys makes much more sense here.
from end_to_end_encryption.
Related Issues (20)
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- 500 on v1 when there is no metadata
- Failed to update nextcloud/ocp package on branch stable27
- Inconsistent type of version in metadata causing client issues
- Latest version on nextcloud 28 cant use file drop links HOT 1
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Transition to using CHANGELOG.md (again?) so that app store picks it up
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Failed to update nextcloud/ocp package on branch stable27
- Failed to encrypt folder: Server replied 404 Not Found HOT 2
- Failed to update nextcloud/ocp package on branch stable27
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from end_to_end_encryption.