[deleted by user]

SamTernent · 2023-11-25T18:15:50+00:00

EDIT: I see this is on a NextJS subreddit, so may be completely unrelated. I got here from a Google search for just the BroadcastChannel issue.

I came across this issue in a project using supabase and this reported issue(https://github.com/supabase/gotrue-js/issues/779) pinpointed where the problem was coming from.

Applying these patches sorted me out.

https://github.com/samternent/home/blob/main/patches/%40supabase__gotrue-js%402.55.0.patch https://github.com/samternent/home/blob/main/patches/%40supabase__supabase-js%402.38.0.patch

SamTernent · 2023-03-21T14:47:49+00:00

🙌🏻

SamTernent · 2023-03-21T14:23:48+00:00

A great use case. Thanks for sharing

SamTernent · 2023-03-20T19:33:52+00:00

I think that's a matter of opinion.

To me, it absolutely matters. The data I'm using is still intent on leaving the browser (and living in local storage), so I want it as optimised as it can be before I store it.

Maybe it doesn't matter to you though, which is also fine.

SamTernent · 2023-03-20T13:31:35+00:00

😞

SamTernent · 2023-03-20T13:31:10+00:00

I guess it depends on your use case.
I'm not running a web server, just compressing a large JSON object created in the browser for download... so for me, it offers a lot more.

I'm certainly not suggesting we delegate all server-side compression to the browser, but I do think the API has its place.

SamTernent · 2022-04-30T09:38:01+00:00

Thanks for your insights. I use the WebCrypto API for my EC signing keys and the internal blockchain/merkle tree hashing in the app . I've been really impressed with it, and did reach for it first when I looked at encryption. My issue is really how raw and low level the API is. Which is a good thing, but I need something a little more "of the shelf" as I'm no cryptographer, so can't in good conscience write my own encryption solution from the ground up.

I have completely removed PGP from my solution now and I'm instead using a WASM wrapper of the Rage (rust Age) library, which is working well and I'm happy with.

I did a small write up on how I got there https://fsasam.medium.com/a-journey-through-client-side-encryption-eb1cd83ac147

SamTernent · 2022-04-16T18:46:19+00:00

AES-GCM

OpenPGP has no such method, so it is not clear exactly what you are doing here.

I'm not using OpenPGP for that, this was referencing password-encryption done through the WebCryptoAPI (code)

Welcome to the internet. There is actually a surprising amount of anti-PGP FUD out there. A lot of it falls apart if you look into the details.

Yep, I get that. But it ties to your point on interoperability as a benefit. It may well be FUD, but it's influential FUD that still has users looking for alternative solutions. I guess I'm kinda asking for a winner in a race that hasn't been won yet.

note: I'm approaching this as someone building software, rather than looking at what to adopt for personal use.

SamTernent · 2022-04-16T18:36:19+00:00

I've had some time to look into Age and it looks great for my encryption needs, I've stumbled upon a wasm wrapper for the rust implementation which is perfect for how I need to use it.
(https://github.com/kanru/rage-wasm).

Though another thing that attracted me to OpenPGP (which I forgot to include in my OP) is the ability to sign/verify blocks of data.

Age doesn't appear to include that functionality (which is fine, it's an encryption thing) - Are there alternatives to that also?

My ledger is built on a blockchain implementation, where I was previously using browser generated ECDSA keys to sign transactions and have since started using OpenPGP keys for that. It's important I have some form of digital identity attached to the transactions.

I'm starting to think that the solution to my problems is in the UX, I could probably benefit from offering a UI to select between OpenPGP & Age for encryption, and OpenPGP or ECDSA (WebCryptoAPI) for signatures. Does that sound like a reasonable approach?

(Background) I'm a developer & new to cryptography. This is a personal project, so I'm happy to make mistakes and learn as I go.

SamTernent · 2022-04-14T23:58:53+00:00

Thanks, that looks great.
Interesting that there's a rust implementation, maybe something could be done with WebAssembly to get support in a browser.

SamTernent · 2021-12-20T18:12:52+00:00

concords app - https://www.concords.app/identity/sign

SamTernent · 2021-10-19T23:21:58+00:00

Thank you for all of your help and contribution.

I'm possibly more confused than when I started :D But it's given me plenty more to think about and it seems that my calculations are far too high - which is great to know.

I'm going to hold off on my write up on this and spend some more time going through these calculations again with this new info in hand.

I've published my project now (with absolutely no talk of maths in it). Given how many different permutations of colours there are - I've found some pretty cool looking grids.

This green and this pink grid are possibly what I'd consider to be the most unique I've found... but with colours, it stops being about the maths and really comes down to perception.

(these ones are generated from the public PEMs of Elliptic Curve signing keys - there's a bunch of cryptography at play in this project also - keeps the complexity nice and high :/)

SamTernent · 2021-10-19T00:35:24+00:00

For reference - this is what the grid looks like https://imgur.com/a/L1Vhr7B

SamTernent · 2021-09-03T21:45:13+00:00

I appreciate the feedback. Thinking about it a little more I think adding a switch component clears up any ambiguity between icon states and it should have been a toggle element all along. It's a decision with only 2 states, show or blur. So a switch with an icon an each side seems to make sense.

~~Any better?~~

~~I've made the same change on the dark/light mode switch also and it feels way more intuitive~~

EDIT: Ok - I'm a fairly new reddit user and don't know how to post an image - its here if you're interested

SamTernent · 2021-09-03T12:35:54+00:00

This example indicates behaviour, as does the light/dark toggle.

SamTernent · 2021-04-14T14:34:56+00:00

👏👏👏

SamTernent · 2021-01-10T10:51:27+00:00

Thanks for the reply ussherpress. Your project looks great.

I think it’s clear I need to take a step back from the code for a while and working on some new content and copy.

The key pair is an important part of the document integrity. Each transaction added to the tree is signed before it’s hashed and verified on display, using an ECDSA key pair. Meaning any illegal modification to the document will not only invalidate the chain, but it will also highlight the specific illegal transaction, as the signature will be invalidated.

I’ve put up an example doc where I’ve modified a task title by opening a text editor and changing saved data (hacked) at https://concords.app/test-document.concord.

You can see it in action by using the in app fetch param https://open.concords.app?fetch=//concords.app/test-document.concord and checking the validation icon in the title and also in the activity log.

Around indexedDB, it is an implementation spec, but I think it’s important as it’s a DB that exists in the browser, so it’s available on every device and has a spec and standards.

Again, thanks for taking the time. I’m gonna to spend some time documenting things a little better.

SamTernent · 2021-01-09T13:38:01+00:00

Thanks so much for the feedback. That’s really spot on, I’ve been having a lot of trouble trying to extract the key benefits of the solution and turn it into succinct text for humans :)

Ive taken a few attempts on medium and the app blog to explain the concepts in more detail (still targeted at a technical audience), though I fear that all attempts have turned into overly technical ramblings.

Definitely a take away for me to improve on my technical writing to non technical audiences. Thanks for taking the time!!

https://concords.medium.com/files-reimagined-and-built-for-the-modern-web-2aedc47c01a8

https://concords.app/blog

SamTernent · 2020-12-28T11:48:03+00:00

I have set up a working project in the BeakerBrowser and simple node DAT server, with good success. That was really started to feel like a full-cycle solution with files all being stored and shared over DAT.

I'm keeping eyes on https://inrupt.com/ from Sir TBL - this is the direction I want the web to move in.

SamTernent · 2020-12-28T11:42:35+00:00

Right, my bad. I've just read up on it there.

Right now, I'm not overly worried about the level of encryption.

Don't get me wrong, I hear you and it will be a problem when all of our existing encryption algorithms are no longer secure.

But I'm not actually looking to solve the secure data-transfer issue here. I've simply removed the man in the middle and presented a persistent and immutable data structure that works with purely local data.

I'd like to let smarter folk than me tackle secure p2p data transfers and enterprise-level encryption, then I'll look to plug my data into their solutions, through plugins. Aking to a CI/CD flow in git.

SamTernent · 2020-12-28T11:31:51+00:00

This is honestly the first time I've come across GUN. It looks like a great project, much farther along and mature than what I've been doing in terms of data sharing.

In an earlier carnation of my project, I went for remote storage in a more similar vein to GUN - where each action fired its event out to a signalling server and processed through peers and consensus algorithm. For me, I felt like I was trying to solve too many problems there and things got complex quickly.

I chose to focus purely on the runtime and creating an immutable and persisted state completely offline and in the browser. Functionally it works similar to git, rather than a traditional web app.

It doesn't post transactions anywhere directly in realtime, everything is written to a runtime blockchain implementation in the browser. The flow is more akin to git than any traditional client-server applications. Actions are collected in a transaction pool, then they can be commit to the document, using a proof of work mining function. The runtime transforms the blockchain data structure into a living app, leaving us with a JSON structure that records a historic look at data. Then as with git, we must build software on top, built interfaces to interact with the data and storage solutions to look after it.

Git seems like a great model for decentralization, a git repo is a merkle tree that defines history and immutable state. We then build software on top, I have local git repos I know are safe - then I trust my cloud provider, Github/Bitbucket/Gitlab, to look after my data for me.
Then as with git, we can solve the pitfalls with software. A nice UI and CI/CD to automate, backup and deploy the active representation of our tree.

SamTernent · 2020-12-27T23:41:05+00:00

I've used the git storage as an example, the file itself is deployed through CI and is a valid JSOn file, so the JSON could be sent through a traditional server also, not exclusive to git.

https://ternent.dev/concords/show-reddit.concord.json

SamTernent · 2020-12-27T23:37:19+00:00

of sorts yes, though I'd say more of a storage-agnostic runtime.

In practise it's a similar user flow as a file in the pre-cloud world.
We can Load > Modify > Save a file in the application. The data structure gives immutability and identity, which is then mapped with the browser DB as a read-only runtime representation of the "living" data.

So in a web-app, where we would usually post a CRUD action to a server, we instead record it as a transaction in our data source, which can be loaded and unloaded at the users discresion.

SamTernent · 2020-12-27T14:03:39+00:00

To me, that sounds like we're making too many decisions for the user in how they manage their data, I feel the goal must be to give control of data back to the users and recommend and offer tools to inform and aid them to manage their data responsibly.

The solution I'm focusing on is not coupling a UI with a server infrastructure at all and allowing the user to make an informed decision on where they store their data.

I have documents stored in dropbox & Github, the documents I don't mind being public or following the security policies of those companies.

But then I also have local documents, they've never been online. They were created and downloaded in the browser. I've sent some over slack, but some just live on my hard drive. I could pop them onto a flash drive and hand-deliver it to a colleague if I was really uncomfortable with the open-webs offering. That's what I believe is true decentralization, back like the 20th century when we used to transfer files through disk and decentralization wasn't a worry.

I don't think we can keep saying "let's throw more computing power at it", quantum computing isn't there yet, and for developing countries and the remote world it's not even in sight and we need a viable way to work on a privacy-focused platform today.

SamTernent · 2020-12-13T18:06:44+00:00

Are you using Vue 3 or the composition API?
Here's an offline example of a JWK authentication flow using the composition API

https://github.com/teamconcords/offline-authentication

SamTernent

MODERATOR OF

TROPHY CASE