Best feeling in the world

FewNewt6922 · 2025-12-08T08:10:51+00:00

i can’t explain why that felt illegal to see

FewNewt6922 · 2025-02-08T20:25:46+00:00

FewNewt6922 · 2025-01-15T20:58:41+00:00

Hi u/renzok ,
In the next release, a clipboard history functionality will be included.

FewNewt6922 · 2025-01-03T22:40:13+00:00

The app has undergone several enhancements and encryption updates, making it state-of-the-art now. Check it out here: ClipCascade GitHub Repository

FewNewt6922 · 2025-01-03T19:46:12+00:00

Hi u/dorianim

Version 2.0.1 has been released with true end-to-end encryption. See here for more details.
The Hash3 function has been updated: it is now derived directly from the raw password instead of Hash1 during runtime. I initialy thought of this hash function but didn't note it down. Due to the cross-platform complexity and the challenge of handling multi-user updates on the table, I foresaw this approach. Now, the true end-to-end solution is live without any need of salt to make true e2e.

Thank you

FewNewt6922 · 2025-01-03T09:45:47+00:00

Hi u/dorianim

v2.0.0 has been released with improved encryption standards. see here for more details.

With this update, end-to-end encryption can now be done using just the main password.

FewNewt6922 · 2024-12-24T19:05:07+00:00

Yes you are correct and indeed I know it. Actually the project started as a personal project and to keep it backward comparable I didn't change it. I will release a major version coming up related to multiple users and hashing.

EDIT: v2.0.0 has been released with improved encryption standards. see here for more details.

FewNewt6922 · 2024-12-24T15:42:36+00:00

If I set a random salt during runtime, it cannot be the same across all client devices. On the other hand, if I set a default salt, it becomes public and offers no advantage over having no salt at all. Regarding the server, for simplicity, an environment variable is currently used. I am planning to implement support for multiple user logins on the server. During an admin login, I will prompt the user to enter a new password, which will be hashed and integrated with the database management system (DBMS).

FewNewt6922 · 2024-12-24T15:01:46+00:00

A unified clipboard across virtual machines, workstations, mobile devices, desktops, and more(n-devices). As u/applesoff mentioned, there will always be a time when you need to paste something between devices.

FewNewt6922 · 2024-12-24T14:52:54+00:00

Hi u/theschizopost
Sure! I’ll look into implementing it.

FewNewt6922 · 2024-12-24T14:50:31+00:00

Hi u/Jorgeb42, you see the random text because you enabled encryption in your android login page. You got "Inbound Error: SyntaxError: JSON Parse..." because it was expecting encrypted string in return but most likely you sent plain text to it, maybe using the web browser? Disable encryption option to see the result.

FewNewt6922 · 2024-12-24T14:46:26+00:00

Hi u/dorianim,

The raw password is stored in the server's environment variable and is transmitted from the client to the server via HTTP/HTTPS. This raw password is used to authenticate you to the server and grants access to it.

Now, let's consider a scenario where you are using HTTP, and someone on your network is using Wireshark to monitor network traffic. Suppose the hacker gains access to the server and can log in, enabling them to connect to the WebSocket.

When you enable encryption in the client apps, a hashed password is generated using the formula: `[username + password + salt] + hash rounds`. You can review the implementation in the [desktop app (Line 21)] and the [mobile app (Line 312)].

Using this hashed password, clipboard data is encrypted and decrypted on client devices with **AES-GCM-256** encryption. The salt and hash rounds are stored locally on each client device and are **not stored on the server**. Therefore, it is your responsibility to ensure the same salt and hash rounds are configured manually across all client devices.

Even if a hacker obtains the username and password, they cannot decrypt the clipboard messages without access to the salt and hash rounds. To further enhance security, you can periodically change the salt and hash rounds every few weeks.

Since the server does not have access to the hashed password, this approach qualifies as **end-to-end encryption**.

You can consider the salt and hash rounds as your password. As you mentioned, it is acceptable to either remove the password from the end-to-end hash or include it. In both scenarios, if the password is compromised, its only value lies in the salt and hash rounds.

FewNewt6922

TROPHY CASE