I’ve mentioned this in the forum before, but I think what’s needed to provide confidence in zero-knowledge hosting situations is some type of 3rd party code review/hosting service. In this model it seems that there are two components of the data being hosted: the interface / business logic and the actual user’s data. If we’re to assume that the user’s data is sensitive, it seems critical that the interface code be both open and subject to scrutiny, and that the published code matches the code that’s actually being used.

While I think the ‘Stallman solution’ is a step in the right direction, but if we’re talking about simply moving from one centralized location to another, we still have a single point of failure. It would seem that the best solution would be to allow users to either download or cache the interface code and to provide an easy way to verify its integrity after download (this would only need to happen once). In other words - use the cloud to manage user data, but use the user’s computer to execute software. This seems like the best of both worlds, as your data is ubiquitous yet secure.

The “Stallman solution” does not implies any “centralized location”. “URL Y” could be any place on the net trusted by the user, or his/her own computer where the code has been previously downloaded.

Marco

I can understand why one would chosen to use the AGPL for his project in order to avoid freeloaders. However, AGPL is not a security prerequisite. The source code has to be made available but almost any license that allows for reviewing the code will do. The PGP license and Microsoft's Shared Source licenses are good enough, for example.

I think it would be relatively easy to create a distributed document hashing service that one can use to detect tampering of files keyed by their URL. However, it would be easier to just rely on signed browser plugins.

In reality, it is very difficult to find competent code reviewers that are willing to donate the hundreds of hours necessary to review code for security defects. Otherwise, the OpenSSL fiasco would have never happened and Linux would be exploit-free by now.

The vast majority of "tampering" is benevolent. If the service provider provides a critical security fix, you will be left unprotected if you have to wait a week or more for an independent team to prove that the update is "safe." (That is on top of the time it took to code the fix and to have it reviewed internally.) In that time you are vulnerable to a much more likely set of exploits.

(I hate CAPTCHAs. It would be awesome if you guys used your security expertise to solve the "I am anonymous but I can prove I am not a spammer" problem.)

@ Brian

And in fact, there are no CAPTCHAs to register for a Clipperz account. We implemented a protection based on hashcash. I’m not aware of any Drupal module (the CMS used for the Clipperz website) that offers something similar. We would love to use it.

Any Drupal expert out there? We are ready to help.

Yes, AGPL it’s not necessary from a security point of view, but I like the freedom it provides both to users and developers.

Marco

I’m also currently researching the web apps space to mash up of what I think is important to access for everyone everywhere. So far I haven’t gotten very far as there doesn’t seem to be much choice. I hope something will come up before M$ Live Mesh will hit the shelves. Starting with a word processor, I like google docs but I haven’t seen anything similar in the FOSS world. So far my idea is Roundcube as a mail client and dekiwiki since it seem to me it is the most user friendly. (Although I hate the fact that you have to install mono). I’m currently trying to develop a wiki Version of Typo3 with frontend only features but the project ist still in the very begining.

Anyway, in regards to your security concerns, these applications will have to communicate with each other and the user and since they are seperate apps the browser plugin will have to talk to all these apps individually. Honestly I have no idea how one would approach this problem.

thomas

Roundcube, Dekiwiki and Typo3 are certaily great projects, but all of them are released under a GPL license.

Marco

More thought will need to go into the re-directable scripts idea, to prevent scam artists & spammers from taking over from un-suspecting persons. (ie, redirect login script to send id/password to scammer site).

An idea to limit damage might be user configurable option to allow re-direct, and a local signing requirement which forces the user to type in different password when authorizing the re-direct. (to limit scriptable hacks).

what’s a lin for? It’s for protecting freedom, privacy, etc.

A firefox chrome application is downloaded and installed from a given url Y and stays exactly the same when used to interact with another url X. Also, the user is part of the application update process. The firefox extentions are like this. From chrome, XUL and XBL allow for a great platform to create an application.

I really like the sound of this. But suppose I ask google to switch to a zero knowledge system? They come back and say something like “but we need that to make search and ad’s more relevant to YOU personally…” and I have to admit, this is one of their strong points. I even sometimes click on ads! Amazing!

Anyway…

What tactics should we employ so that one of my favorite companies is still able to make the money to pay the bills WITHOUT giving up my privacy? Is this an issue?

In short, how do I respond to the “relevancy” argument?

Oh, and Richard Stallman, you rock!

is that typically people need to make a living, ie., trade or work to pay bills. Just because Stallman doesn’t have to buy soap or water for instance doesn’t mean that the rest of the world wants to go around smelling like a pig. Maybe when Stallman takes a shower and gets a job he can refine his views a bit and maybe he won’t be ignored by most of the world like he is now.

Re: Drupal and spam blocking… have you investigated Mollom?

http://www.mollom.com http://drupal.org/project/mollom

Granted, it’s not an AGPL project… ; )

Also, while the service will algorithmically detect and squash spam, it will still present a CAPTCHA if it’s not quite sure.

“Stallman suggests to add a feature to the browser allowing a user to say: “When you get URL X, use the Javascript from URL Y as if it came from URL X.” If the user does invoke this feature, he can run his copy of the Javascript and still being able to exchange data with the server hosting the web application.”

Maybe I’m missing something, but this seems pretty similar to what Greasemonkey (and GM4IE) already provide. The big difference is that URL Y has to be local. OTOH using a remote server seems to open one up to various attacks (i.e., site Y suddenly starts serving nefarious scripts, etc).

Hello. We built a collaborative web browser based on the zero knowledge algorithm SRPP:

http://srp.stanford.edu

We built it as a custom, internal development project for some hedge funds in Boston. It has a lot of group-messaging and workflow features. I personally use it as my main web browser and RSS reader daily, and love that I can search a private repository of 20K+ of my own bookmarks.

http://sourceforge.net/projects/suprabrowser

It’s a very sophisticated application, but more suited to expert users as opposed to normal end users. It takes about a day of actual usage before figuring out what the heck is going on.

However, once a user gets used to it, it’s totally awesome. It has the ability to manage mailing lists, tag collaboratively and search an individual or group repository of bookmarks. It has file sharing, threaded chat, contextual highlighting of posts and bookmarks, and a bunch of other features. It’s based on the Gecko rendering engine and already has these attributes that you mentioned:

* loads the Javascript code to the user’s browser (the actual program);
* optionally authenticates the user (using a zero-knowledge protocol);
* retrieves and stores encrypted data as requested by the user’s browser.

We would be very happy to collaborate. It’s hard to know how community gets built around something like this. We have the same vision as you, and have a working application. If you are comfortable starting with where we currently are and taking a leadership position with respect to the direction that this application and open source project goes, I would be most thankful. We unfortunately are exceptionally busy and don’t have the time to build community, especially when it seems somewhat random as to how people start to get excited about something.

We are open to changing direction and incorporating new features as long as it seems that other people would like what it is that we are doing. We intend to make it more accessible to other people and less sophisticated end users, but haven’t seen any interest whatsoever from the open source community.

There are so many ideas and possibilities for different directions to take, and if it seems that people rally around this, we will make sure that the resources can be allocated to bringing it about. The missing element so far is any interest at all in a product that took 5+ years to develop.

Sincerely, David Thomson

Have you ever seen TiddlyWiki? It’s entirely client-side, but there are server-side implementations. It is published under a BSD license, though.

My name suggestion is: Cristal Web

Cristal, like cristal clear, transparent. But also, Cristal, like hard as cristal.

“What tactics should we employ so that one of my favorite companies is still able to make the money to pay the bills WITHOUT giving up my privacy? Is this an issue?”

Yes this is an issue, but it’s not that hard to solve. If say, Google needs to target an ad to some keywords in your encrypted data, they could receive your data in plain-text but anonymized format, crunch it, and send ads back. They don’t need to know who you are or where they are sending the ads. All this should only happen with your consent of course, but hey, who doesn’t want ads? ;)

I can already achieve a great deal of this. I have an Amazon S3 account, which provides cheap encrypted but not anonymous storage: they know who I am, but not what I store. This seems to be necessary unless you are going to allow people to store unlimited quantities for free (no, Google doesn’t allow that).

I use the closed-source program JungleDisk to access the S3 system as if it were a drive on a Linux 386, Windows, or Mac system — one of the reasons I chose JD is that they have a GPLed command line retriever. There are various other programs that do more or less the same thing.

Now I can run OpenOffice.org or any other office programs on the files in the simulated drive. I just have to be willing to download one of them to the computer I am using. And that buys me a lot more power and function than any downloadable Javascript app would. This is particularly important in a spreadsheet program: someday Javascript-based spreadsheet programs may be competitive in speed with C++ ones, but that day is not today.

Hi Marco,

Simon Rycroft has created a Hashcash project for Drupal.

I quote the name Crystal Web (but please, write it with ‘y’!).

Thanks for this post, is really helpful.