Gaya

What I did: Consolidated Ideas

Total time: 56.467

Comments:

An important part of any projects is managing the ideas. You may not use them now, you may not use them ever, but keeping good track of those ideas are super important.

For example did you know that SSL and TLS are not the same thing? TLS is more secure and modern than SSL.

I wanted to ensure that Sapphirepack.org was running with the latest security standards for encrypted connections.

For the frontend I'm likely to go with Gastsby since it includes the right meta and markup tags to ensure a high level of security. Just like with Javascript it no longer makes sense to code that stuff by hand.

What I did: Tiny Nx repo understanding

Total time: 56.167

Comments:

What I did:

Total time: 56.150

Comments:

Setup two layers of security with the public/private key, including a hardcoded expiry requirement and list of pubic and private keys (signed with a primary key to authenticate and verify that changes are authorized).

Looked at TweetNacl and realized I'm going to have to wrap it along with Base64 because of how it works. Exploring the places that I'm going to need to use the public/private crypto and designing the 'perfect' api so I understand what I need to build in terms of the public/private key crypto infastructure. (This will require 2 one off scripts that allow:

What I did: Basic Testing

Total time: 54.700

Comments:

I got it to successfully generate a shared session secret. However there's a minor problem I just realized, this library just creates a shared session secret but doesn't allow using a long lived public/private key pair to verify the ssl2client is connecting to the correct ssl2server.

The use case is to prevent catfishing or hijacking the domain. However I'm coming up against issues that's making me rethink parts of the protocol.

What I did: Setting up the mono repo + importing library

Total time: 54.200

Comments:

I got a MR accepted https://github.com/antontutoveanu/crystals-kyber-javascript!!! This feels so good even though it's a tiny change.

The reason that I'm going with a monorepo is to avoid as much software security chain violations. We've seen bad code get injected via a 3rd party dependency. By moving the most critical third party dependency as shared libraries directly managed and controlled within the repo, we remove an important attack vector, while opening ourselves up to a different kind of attack vector (not getting the patches we need because automatic updates aren't pulled).

However given the importance of security and the fact that the crypto libraries we're using have been formally checked or will be in the near future, we surmise the improved control over key crypto aspects will more than makeup for the hassle of having to manually manage and update the components.

I looked at four tools:

Bazel - Pass. Designed to run with multiple languages and such, configuration looks complicated and does more than I need it to do.

Nx - Interested, going to keep looking at others. Like that it has a dependency graph, a way to explicitly show what depends on what, which encourages looser coupling and discarding of old code that isn't needed.

rushjs - Backed by Microsoft, like how it's fully deterministic. Seems to be missing the testing hook but that's not part of the build process??? Whereas Nx does and since testing is important, I want the tools to reflect that. So pass.

Lerna - Pass. Doesn't have testing support.

Alright choose Nx, now need to remember to in the future add in a utlity that runs and tells us if any of our locally maintained security libraries have an update. For now I'm going to create a subrepo that's docs/security/watchlist.md

Alright good news I got the module setup, now I've got to setup the ssl2client and ss2server projects and figure out how to get them to interact within a test.

Sub project now, I'm importing the key code and setting up a few simple tests to ensure everything works as expected.

Hmm O_o kinda but not what we need. At least we're able to import modules from one package to another and vice vera.

There isn't anyway that I can currently know to track which depedencies go with which project.

Other comments:

In response to comment, absolutely good to be back. I discovered an issue that I couldn't address within SN's current security framework and the nature of the web. TO BE CLEAR, SN is extremely secure. So much that I trust my most intimate secrets and passwords wholeheartedly to SN. The issue was a combination of paranoia and the way that extensions are loaded via the internet. Nothing that SN can do to address it, an inherent flaw with how the internet is designed. So at that point I needed to abandon the effort until a better solution was available. I also found that I was using just a plain text editor and 1 note per password so even I myself was reluctant to use the password manager, never a good sign.

What I did: Began dissecting the Public/Private Key Quantm crypto
Total time: 53.067
Comments:

What I did: Researched public and private key system for over the air and quantum resistant key crypto
Total time: 53.033
Comments:

Looked at DHole again for NIST-Finalists for Post Quantum crypto.

Here is the current realizations:

1) Need to negotiate a secure tunnel using Public/Private Key system that can resist quantum attacks.

2) The session once derived can use XChacha20-poly1305 which even using Grovers Algorithm gives 128 bits of security which is 'enough' for current day.

3)In the future since 2/3 finalists algorithms have a non zero decryption probability AND since these files stored in the cloud will be copies of files stored on said device, we can just ask the device to reupload the file that it failed to decrypt. However as Dhole mentioned 2^-120 to 2^-170 is quite dismissible for real world security.

Figuring out how to use the library. Submitted patches for the code. Nothing impressive moved some code around to fix scoping issues when converting all code for the 768 bit version to use let instead of 'var' and ''.

What I did: Continued price research and cost analysis
Total time: 51.717

What I did: Research encryption and income opportunities

Total time: 51.067
Comments:

https://soatok.blog/2020/07/12/comparison-of-symmetric-encryption-methods/

I knew what the decision was going to be after looking around, I just needed to come to terms with it you know. It's a beautiful library that's been audited.

I've made the difficult decision to AGPL the code because I want access to the beautiful crypto library that SN has built. Furthermore I know it's the right thing to do.

Having the code publicly examinable will encourage better craftpersonsship, however I'm scared that people will steal the code and I'll be left without anything.

After realizing I'm going to settle on the AGPL license the next thing is to figure out the income model.

But after figuring out the income model I'm not sure, mainly because what stops someone else from taking my code and using it without paying me anything?

I'm also shooting myself in the foot in other ways.

However I'm going to stick with it because I think it can work. Before I continue I'm trying to figure out income and business models that could work.

What I did: Getting stuck on actually implementing this gem of an idea
Total time: 49.067

Designing blob storage and wrapper library POC api. The idea is that the blog storage of a file will be seperate than the actual file. There will be a few events such as:

A fileID once processed is permanent. However once I realized I was drifting off of the target, which is setup the SSL2 communication I went back to SSL2 communication.

Comments:

I was focused on figuring out Mocha, then realized my approach didn't make sense with using the SSL2 as interceptware and instead having SSL2 become a component built ontop of express that wraps express.

I briefly got sidetracked into blob storage and wrapper library POC. The idea is the blob sotrage of the file be seperate than the actual file. There will be a few events such as:

.addChunk(fileID, fileChunkNumber, fileChunk)
.removeChunk(fileID, fileChunkNumber, fileChunk)
.delete(fileID)
.updateMeta(fileID, fileMeta)
.createFile()
.status(fileID)

What I did: Began actually writing out code!!!!!!
Total time: 48.033
Comments:

Designing the keystore, session management and operator system.

Setting up Typescript and Mocha (for req testing).

What I did:
Total time: 46.783
Comments:

Costs for security analysis isn't something that I can afford currently and it would be immoral to launch and claim an above standard security level. So I'm left at this weird part having hopefully increased security but not being able to prove it until hopefully 2024 or sooner.

Setup a library for Error Code

Total time: 46.533

What I did: translated last 4 errors into HTTP and SSL along with researching session token and OWASP security.
Total time: 45.783

What I did: HTTP and SSL2 protocol use along with a few confusing and similar ones. This is why I flesh them out like this!!!
Total Time: 45.483

What I did: HTTP and SSL2 codes and use cases. researching 2 providers who can do consoluting for TLS along with asking a key exhausting question finally doing a bit of encryption theory to ensure understanding.

Total time: 45.183