xoron

joined 2 years ago
sorted by: new top controversial old
We can't just call AI-generated code slop anymore in c/programming@programming.dev
[–] xoron@programming.dev 1 points 6 days ago

thanks! feel free to share any ideas to discuss or reach out for clarity on details of mine.

Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone in c/privacy@lemmy.world
[–] xoron@programming.dev -1 points 6 days ago

I'd like to be clear that docs are the best I can offer, but feel free to ask for clarity on the details and I can try explain it better.

We can't just call AI-generated code slop anymore in c/programming@programming.dev
[–] xoron@programming.dev 2 points 6 days ago (2 children)

hi. sorry for the delay on replying to this. i overlooked it in the thick of messages i got on that post.

your points about focus is entirely valid. which make me more reluctant to show the size of the project.

i put a great deal of time and attention on the cryptography aspects, because that's a core details i wanted to iron-out... the wider project is more like a nextcloud clone.

the lack of focus you eluded to is correct, and it wont inspire you to realise its at a bigger scale than you might think. im working towards something more comprehensive in capabilities.

if i havent lost your trust and interest on the project, it would be great to get feedback on https://enkrypted.chat/ (the final-ish form of the messaging app)

Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone in c/privacy@lemmy.world
[–] xoron@programming.dev -1 points 6 days ago

thanks for your feedback there. id like to share my thoughts and observations on your points.

its a great personal shame for me to go in the close-source direction. those links to the open source repos, will remain open source because its demonstrates the unique concept around how it work. if people are interested in how it works and dont want to trust me (and you shouldnt!)... the open source repositories demo the functionality and also have a reasonable ampount of documentation around it. i had deluded myself that if i opensource something unique like this, i would be able to get open-source funding. i have no experience in the matter, i was just working on a sideproject to begin with (and its arguably still a sideproject). i put focus on transparency, communication and documentation. the project still gets called a scam/slop whether is open/close source.

the app itself is pure client-side javascript so i dont see how i can offer a managed service.

while i have a "decent" amount of documentation on the project, i dont expect most people to take a look. that was all intended for transparency when seeking open source funding. open source cybersecurity seems prohibitively expensive wheather you're big-tech or not. my personal experience in seeking an audit: https://www.reddit.com/r/CyberSecurityAdvice/comments/1su8lir/security_audit_feedback_from_radically_open

id like to put things into perspective here:

As others have pointed out privacy without transparency (in the way of making the underlying code open source) isnt a guarantee of privacy its a weak promise at best

https://github.com/positive-intentions/chat the core concept is demonstrated here. its a full functional p2p messaging with focus on client-side cryptography. i'll be keeping it open source. the key different is that the open source version doesnt have as nice a user experience... if a nice user experience make all the difference, then i dont think people are looking at it objectively.

removing openness in its entirety isn’t a solution privacy focused people will accept

i agree; and just to be clear im not removing openness in its entirety. its open-source to demonstrate how it works. if you want a secure open-source p2p encrypted messaging... you have that... it simply isnt going to be the best experience i can offer. if you want to fork the repo and try iron-out the creases yourself? be my guest (its pretty complicated, so feel free to reachout for clarity). perhaps im being naive, but i dont think any amount of vibecoding is going to make the open-source version competative to the close-source version.

marketing

this is very difficult for me. no idea what im doing in marketing and my candid communication doesnt seem well recieved. especially in the cryptography and cybersecurity communities. no idea how to do marketing beyond posting on reddit and lemmy. i have been spending most of my time in improving the project and i can do that forever... but i shouldnt. its something i need to work on.

i think i have offered a great deal of transparency, honesty and communication about how the app works. i expect it will be tough to sell "secure, but paid for messaging app", but it seems the only logical option. this isnt my first rodeo; open-source is not a gamble that will pay off.

Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone in c/privacy@lemmy.world
[–] xoron@programming.dev 0 points 6 days ago (2 children)

"testing and demo purposes only"

the code and docs are provided so you dont need to trust me.

Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone in c/privacy@lemmy.world
-29
Introducing Enkrypted Chat - An Ephemeral P2P WhatsApp Clone (programming.dev)
submitted 1 week ago* (last edited 1 week ago) by xoron@programming.dev to c/privacy@lemmy.world
9 comments fedilink
 

Enkrypted.Chat

This is intended to introduce a new paradigm in client-side managed secure cryptography. We can avoid registration of any sort. A fairly unique offering in the cybersecurity space.

No need for things like phone numbers or registering to any app stores. There are no databases to be hacked. Allowing users to send E2EE messages and files; no cloud, no trace.

Features:

  • PWA
  • P2P
  • End to end encryption
  • Signal protocol
  • Post-Quantum cryptography
  • Multimedia
  • File transfer
  • Video calls
  • Local-first
  • No registration
  • No installation
  • No database
  • TURN server

I started off with some open source versions of the core concepts.

Open source isnt sustainable. So im taking the Enkrypted.Chat project in a different direction.

To get started, you can take a look here: https://positive-intentions.com/docs/projects/enkrypted-chat/getting-started

To learn more or you want to do a deep-dive: https://positive-intentions.com/blog/introducing-enkrypted-chat

If you really want something to chew on, these are the bleeding-edge docs: https://positive-intentions.com/docs/technical

The docs may answer some questions, but feel free to reach out for clarity instead of reading all that slop.

IMPORTANT: Caution should be used for any unfamiliar project, especially this. I'd like to be clear that I am Al-slop-maxxing at scale. If youre looking for good code, clear docs or best-practices; you should look away now. While this is aiming to provide secure experience, it isnt audited or reviewed. I'm sharing for testing, feedback and demo purposes only. This is a technical demo of a unique concept. Please use responsibly.

(Note: Im actively in the process of rebranding from "positive-intentions" to "Enkrypted Chat". The wording may be inconsistent throughout the docs.)

We can't just call AI-generated code slop anymore in c/programming@programming.dev
[–] xoron@programming.dev -1 points 3 weeks ago

so now youre saying AI psychosis is a serious thing we dont understand... but you seem to be convinced that youre qualified to diagnose it?

unlike many others responding to this threat. you've seen my work and even linked a omprehensive post of how my project works. your pushback here doesnt contain any substance. you can call AI psychosis so you can avoid giving the project actual attention.

ultimately i dont think my project is interesting to you. if im seen as an annoying lemmy user/troll, i encrourage you to block me.

We can't just call AI-generated code slop anymore in c/programming@programming.dev
[–] xoron@programming.dev -1 points 3 weeks ago

i try to be sensitive toward that. but if we have such rulesa against AI-slop, we have to be able to distinguish between low-effort AI and high-effort AI... thats what isnt occuring.

i created a sub for my project here: https://www.reddit.com/r/positive_intentions

while its great for posting updates for those that follow my progress, it hardly has reach compared to other subs. its especially useful to ask in established subs when i have technical questions... like in the sub that got me banned. i dont think im sharing AI-slop and there doesnt seem to be an objective analysis because AI is the latest trent and people already have strong opinions on it.

We can't just call AI-generated code slop anymore in c/programming@programming.dev
[–] xoron@programming.dev -1 points 3 weeks ago (2 children)

the only project relevent here is: https://positive-intentions.com/

the parts i want open source are on github. my project wasnt always open source. i created this without AI agents. then i open sourced it thinking it would gain more trust with users... and it did, but a key observation is that there are folks like yourself that will never be satisfied. if open source code, docs and my communication isnt enough... i have no delusuion that identifying myself would benefit the project in any way... its simply a vector by which people will highlight why im not qualified to work on the project.

critisism in cybersec is common and expected. my ideas should be challenged. but the code is right there. feel free to ignore any details you think might not be up to your quality standard. you linked my previsous post which is more technical about how my app works. you can ask for further clarity on those details.... but your critisism on previous posts suggest to me, that you dont actually want clarity because you alrealy already have the references to find out more.

the project is enjoyable for me. its why i still work on it. would it be wild for me to want to make money from it? im trying to be more transparent about my process. the post here highlight my AI usage and how im using it to create high-effort work. "high-effort" is hardly quantifyable, but i see many reponses are along the lines that "AI cant be trusted to do things perfectly"... as if i dont also agree to that. you linked my previsous post which i would hope made it clear that my AI prompt wasnt "create me a messaging app".

a key and worrying observation is that mentioning that i use AI is the only thing that makes a different in feedback about the project (as per the subject of this post). you can see that in my previous post was significantly better recieved compared to this current post. that is the project where im using AI.... because duh! it is a game changer.

the point im making on the OP still stands that people cant see past my project after i mention i used an AI. human effort has never been easy to quantify... the best you got is storypoints and thats hardly meaningful.

We can't just call AI-generated code slop anymore in c/programming@programming.dev
[–] xoron@programming.dev -1 points 3 weeks ago (4 children)

hi. thanks for taking a look. sorry for the delay in responding, i wanted the heat on this post to settle down a bit.

i originally started with src, but then when it some to formal verification and proofs, i came to the conclusions that you cant simply point it to a single folder are various functions are better separated to make it easier to document.

unlike the formal verification with tools like hax, formal proofs are loosely related to the code. there isnt a direct relation too the proverif files and the code itself. if i change the code, i should also adjust the proverif. i documented it on the website to help me keep track of the functionality.

https://positive-intentions.com/docs/technical/signal-protocol-formal-verification/proverif https://www.reddit.com/r/cryptography/comments/1evdby4/comment/liwyn3o/

regarding how the cryptography is loaded, im using module federation. the signal protocol is imported into the cryptography modules (so the app doesnt need to load the signal protocol project explicitly). that cryptography modules is itself loaded into the p2p-framework repository so that i can automate the handling of p2p authentication.

that AI audit as critical as it is of my implementation is the best source of truth for my project. there is simply not going to be a third-party audit and so it is intended to be objective, but i think i signpost enough that its AI generated. i need to clean up the exclamation marks and emoji's, but the information there should all be correct.

there are indeed a lot of debug messages logged. its worth repeating the project is still a work in progress and far from finished., im sharing it now at this point because it seems like a reasonable state. i understand people can have high expectations around perfection,... this is not that kind of project. perfection would be a waste of my time at this stage in the project.

the CSP headers there are all deliberate to support things like gifs and simpleanalytics. ther could do with a bit of a clean up and taking ownership of things like fonts.... its been on the todo-list for a while but i didnt proritise it. thanks for raising it... i'll see about cleaning it up.

the hax extraction is doing the abstraction to axioms and you right that the axions arent proven... this is something im actively investigating.

thanks for your time and attention on the project. sorry if ive misled you to belive the project is more mature than it is.... its is however a genuine attempt to create something safe and secure.

We can't just call AI-generated code slop anymore in c/programming@programming.dev
[–] xoron@programming.dev -1 points 4 weeks ago

This generally seems to elude to my due-diligence. And if it's low effort AI.

It's skepticism that has me put attention towards docs and various details.

For example: I tried to get a security audit. I can't get one for free, so I created one with AI. I'd like to be clear that I understand how my apps works and am able to articulate it to the best of my ability to AI to generate the security audit. I was exhausted from the experience of creating the audit with AI and it provides me with good information and advice. I stand by the feedback there isn't it isn't ready for production.

In all my posts on all platforms Im sure to mention that it isn't production-ready. (The same for the repos on GitHub)... But the general aim is to create something secure.

We can't just call AI-generated code slop anymore in c/programming@programming.dev
[–] xoron@programming.dev 0 points 1 month ago (1 children)

here is the open source version i created with out AI: https://github.com/positive-intentions/chat

its faily ugly and not user friendly, but the core mechanics of secure encrypted communication is demonstrated and documented. it was clear after creating that version, open source was worthless. with or without AI, slop has always been around.... for better or worse, i was creating slop before it was cool.

i then created the newer version of the messaging app with AI (it isnt fully open source but works in a similar way): https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story

having done it manually and then with AI, i can clearly compare why the close source version is more appealing to users. its not just a nicer UI, its better documented.

youre making assumptions that if i didnt have AI, i wouldnt be able to work on my project. im naive enough to think that isnt true. the documentation and code might not be to the same quality, but im sure i can still crank out code the old-fashioned way.

-2
We can't just call AI-generated code slop anymore (programming.dev)
 

Been banned for AI-Slop on a few subs here on Lemmy as well as on Reddit.

I always provide a good amount of technical detail in my posts and i try to be as transparant and communicative about the details. My projects are very complicated and I try to document them well.

my project is pretty cryptography-heavy... the act of me sharing my efforts in an attempt to show transparency... but it is used against my project by calling it AI-slop (undermining Kerkhoff's principles).

It's 2026 and most developers are using AI. I have used it to create things like formal proof and verification.

my project is aimed to be a secure messaging app. i have all the bells-and-whistles there along with documentation.... but if the conversation cant move past "its AI-generated"... then it seems the cryptography/cybersecurity/privacy community isnt aligned with the fact that using AI is now common practice for developers of all levels.

AI is a tool. you cant (and shouldnt) "trust" AI to do anything without oversight. AI does not replace the due-diligence that has always been needed. i dont "trust" my hammer to bash in a nail... i "use" the hammer. AI is not different in how you need to be responsible for how its used.

i've busted my ass on my project for it to be called AI slop. i think its completely fine when it comes from folks in the community. cryptography is a serious subject and my ideas and implementation SHOULD/MUST be scrutinised... but its simply ignorant if mods are banning me for the quality of my work considering the the level of transparency and my engagement on discussions about it.

It's a bit reductive to call it slop. I think i try harder than most in providing links, code and documentation. Of course I used AI... and it's clearer for it. (you can find more detail on my profile)

i am of course sour from being banned, but am i wrong to think my code isnt AI slop? Some parts of my project are clearly lazy-ui... but im not sharing on some UI/UX/design sub. the cryptography module has unit tests and formal verification. if that is AI-slop and can result in me being banned, i simply dont have faith in that community to be objective on the reality of where AI can contribute.

while its understandable people dont want to review AI-slop... i think the cryptography/cybersecurity community needs to get on board with the idea of using AI to help in reviewing such code. am i wrong? is the future of cryptography is still people performing manual review of the breathtaking volumes of AI code?

1
Multi Vendor Deployment with Infrastructure as Code (programming.dev)
 

TLDR; If you're looking for great engineering and best-practices... you should move away now. I'm creating a solution to a problem that nobody (including myself) has. I'm working with module federation between multiple cloud-providers to create an app that can use interoperable modules from multiple sources.

I have a webapp that I deploy with aws-cdk. It's a static webapp that I have on on S3.

AWS-cdk works as expected, but now id would like to investigate a multicloud deployment. Using something like pulumi or terraform (but not limited to those)

Most vendors have something like S3 and so I would like to have something that can deploy to multiple cloud vendors simultaneously.

In that approach, I would like an exhaustive number of vendor providers. I don't just want the top vendors like aws, gcloud, azure... But I'm looking for something that can also handle providers over seas like Alibaba cloud, Kamatera and I'm sure many I haven't heard of.

My project only needs something like S3 (static server) so I don't expect that being exhaustive in providers would be too expensive.

Im looking for something like terraform or pulumi, but I haven't user either enough to settle on one. When deploying to the S3 equivilent, i dont want it to deploy to either GCloud or Azure... i want it to be able to deploy to both.

(aws-cdk is handling things like the TLD so i think i'll have to stick with that setup.)

To provide more context about what I'm trying to do, I created a webapp that uses webpack module federation. (see my profile for more details)

The aim is for a resilient infrastructure. S3 is not expected to fail, but in a multicloud approach, if any cloud provider has issues, i want there to already be multiple redundancies in place.

I deploy the same app on gh-pages and aws-s3. Its set it up in a way that it can interoperate with statics from aws-s3 or gh-pages. It works as expected.

https://positive-intentions.com/blog/statics-as-a-chat-app-infrastructure#module-federation-in-action

I'd like to scale that up further, so the next level after that is to have something that can deploy to multiple cloud providers.

(Unrelated but worth mentioning: i will also be adding SRI on those imported static files to make sure they have a content-hash that matches expectations. I wont have to "trust" that the providers are serving the correct statics.)

16
Send Messages Privately. No Cloud. No Trace. (chat.positive-intentions.com)
submitted 10 months ago* (last edited 10 months ago) by xoron@programming.dev to c/privacy@programming.dev
13 comments fedilink
 

How it works: https://positive-intentions.com/docs/projects/chat

TLDR: im working on a p2p messaging webapp. webapps are generally not considered secure because of the nature of serving satics over the internet. this is correct, but not a limitation of this project. (selfhosting options: https://positive-intentions.com/blog/docker-ios-android-desktop).

as a webapp, i can provide the app with zero-installation and no-registration. the storage is local-only from your browser/device. so “the cloud”, but the cloud storage capacity is made up of your devices. this allows for things like p2p authentication: https://positive-intentions.com/blog/security-privacy-authentication.

Future: im aiming to create the most secure messaging app out there... (more than signal, simplex, etc). i know i have a have a long way to go to get there. the UI is fairly ugly for the average user, but i think the mechanics are working as expected. i think javascript is underrated in what you can do with it. i actively investigting improving the encryption approach further to align to how the signal protocol works (currently using the classic diffie-helman key-exchange).

Support: i would like to keep this project open source, but open-source funding is not working for me. i dont want your donations because it isnt sustainable for a long-term project. i have so far only experienced grant-funding rejections. i have no idea what im doing in trying to get funding for this project, so any support/advice is appriciated. in recognition of the project in its current state not able to get funding... (sorry) i will have to go close-source (which id like to avoid because it undemines several cybersecurity claims id like to make.)

0
removed (positive-intentions.com)
submitted 10 months ago* (last edited 10 months ago) by xoron@programming.dev to c/ask_experienced_devs@programming.dev
0 comments fedilink
 
10
Decentralized Module Federation For A Microfrontend Architecture (positive-intentions.com)
 

Decentralized Architecture: https://positive-intentions.com/blog/decentralised-architecture

While my approach here could be considered overly complicated (because, well, it is), I'm trying something new, and it's entirely possible this strategy won't be viable long-term. My philosophy is "there's only one way to find out." I'm not necessarily recommending this approach, just sharing my journey and what I'm doing.

Potential Benefits

I've identified some interesting benefits to this approach:

While I often see module federation and microfrontends discouraged in online discussions, I believe they're a good fit for my specific approach. I'm optimistic about the benefits and wanted to share the details.

When serving the federated modules, I can also host the Storybook statics. I think this could be an excellent way to document the modules in isolation.

Modules and Applications

Here are some examples of the modules and how they're being used:

This setup allows me to create microfrontends that consume these modules, enabling me to share functionality between different applications. The following applications, which have distinct codebases (and a distinction between open and closed source), would be able to leverage this:

Sharing these dependencies should make it easier to roll out updates to core mechanics across these diverse applications.

Furthermore, this functionality also works when I create an Android build with Tauri. This could streamline the process of creating new applications that utilize these established modules.

Considerations and Future

I'm sure there will be some distinct testing and maintenance overhead with this architecture. However, depending on how it's implemented, I believe it could work and make it easier to improve upon the current functionality.

It's important to note that everything about this project is far from finished. Some might view this as an overly complicated way to achieve what npm already does. However, I think this approach offers greater flexibility by allowing for the separation of open and closed-source code for the web. Of course, being JavaScript, the "source code" will always be accessible, especially in the age of AI where reverse-engineering is more possible than ever before.

1
Decentralized Module Federation For A Microfrontend Architecture (positive-intentions.com)
 

Decentralized Architecture: https://positive-intentions.com/blog/decentralised-architecture

While my approach here could be considered overly complicated (because, well, it is), I'm trying something new, and it's entirely possible this strategy won't be viable long-term. My philosophy is "there's only one way to find out." I'm not necessarily recommending this approach, just sharing my journey and what I'm doing.

Potential Benefits

I've identified some interesting benefits to this approach:

While I often see module federation and microfrontends discouraged in online discussions, I believe they're a good fit for my specific approach. I'm optimistic about the benefits and wanted to share the details.

When serving the federated modules, I can also host the Storybook statics. I think this could be an excellent way to document the modules in isolation.

Modules and Applications

Here are some examples of the modules and how they're being used:

This setup allows me to create microfrontends that consume these modules, enabling me to share functionality between different applications. The following applications, which have distinct codebases (and a distinction between open and closed source), would be able to leverage this:

Sharing these dependencies should make it easier to roll out updates to core mechanics across these diverse applications.

Furthermore, this functionality also works when I create an Android build with Tauri. This could streamline the process of creating new applications that utilize these established modules.

Considerations and Future

I'm sure there will be some distinct testing and maintenance overhead with this architecture. However, depending on how it's implemented, I believe it could work and make it easier to improve upon the current functionality.

It's important to note that everything about this project is far from finished. Some might view this as an overly complicated way to achieve what npm already does. However, I think this approach offers greater flexibility by allowing for the separation of open and closed-source code for the web. Of course, being JavaScript, the "source code" will always be accessible, especially in the age of AI where reverse-engineering is more possible than ever before.

5
Decentralized Module Federation Microfrontend Architecture (positive-intentions.com)
 

im working on a webapp and im being creative on the approach. it might be considered over-complicated (because it is), but im just trying something out. its entirely possible this approach wont work long term. i see it as there is one-way-to-find-out. i dont reccomend this approach. just sharing what im trying/investigating.

how it will be architected: https://positive-intentions.com/blog/decentralised-architecture

some benefits of the approach: https://positive-intentions.com/blog/statics-as-a-chat-app-infrastructure

i find that module federation and microfronends to generally be discouraged when i see posts, but it i think it works for me in my approach. im optimisic about the approach and the benefits and so i wanted to share details.

when i serve the federated modules, i can also host the storybook statics so i think this could be a good way to document the modules in isolation.

cryptography modules - https://cryptography.positive-intentions.com/?path=%2Fdocs%2Fcryptography-introduction--docs

p2p framework - https://p2p.positive-intentions.com/?path=%2Fdocs%2Fe2e-tests-connectionstatus--docs

this way, i can create microfrontends that consume these modules. i can then share the functionality between apps. the following apps are using a different codebase from each other (there is a distinction between these apps in open and close source). sharing those dependencies could help make it easier to roll out updates to core mechanics.

p2p chat - https://chat.positive-intentions.com/

p2p file transfer - https://file.positive-intentions.com/

the functionality also works when i create an android build with Tauri. this could also lead to it being easier to create new apps that could use the modules created.

im sure there will be some distinct test/maintainance overhead, but depending on how its architected i think it could work and make it easier to improve on the current implementation.

everything about the project is far from finished. it could be see as this is a complicated way to do what npm does, but i think this approach allows for a greater flexibility by being able to separating open and close source code for the web. (of course as javascript, it will always be "source code available". especially in the age of AI, im sure its possible to reverse-engineer it like never before.)

6
Decentralized Module Federation Microfrontend Architecture (positive-intentions.com)
 

im working on a webapp and im being creative on the approach. it might be considered over-complicated (because it is), but im just trying something out. its entirely possible this approach wont work long term. i see it as there is one-way-to-find-out. i dont reccomend this approach. just sharing what im trying/investigating.

how it will be architected: https://positive-intentions.com/blog/decentralised-architecture

some benefits of the approach: https://positive-intentions.com/blog/statics-as-a-chat-app-infrastructure

i find that module federation and microfronends to generally be discouraged when i see posts, but it i think it works for me in my approach. im optimisic about the approach and the benefits and so i wanted to share details.

when i serve the federated modules, i can also host the storybook statics so i think this could be a good way to document the modules in isolation.

cryptography modules - https://cryptography.positive-intentions.com/?path=%2Fdocs%2Fcryptography-introduction--docs

p2p framework - https://p2p.positive-intentions.com/?path=%2Fdocs%2Fe2e-tests-connectionstatus--docs

this way, i can create microfrontends that consume these modules. i can then share the functionality between apps. the following apps are using a different codebase from each other (there is a distinction between these apps in open and close source). sharing those dependencies could help make it easier to roll out updates to core mechanics.

p2p chat - https://chat.positive-intentions.com/

p2p file transfer - https://file.positive-intentions.com/

the functionality also works when i create an android build with Tauri. this could also lead to it being easier to create new apps that could use the modules created.

im sure there will be some distinct test/maintainance overhead, but depending on how its architected i think it could work and make it easier to improve on the current implementation.

everything about the project is far from finished. it could be see as this is a complicated way to do what npm does, but i think this approach allows for a greater flexibility by being able to separating open and close source code for the web. (of course as javascript, it will always be "source code available". especially in the age of AI, im sure its possible to reverse-engineer it like never before.)

8
VeraCrypt-like functionality with a browser. (programming.dev)
 

I've been looking at the WebCrypto API. When combined with the File system API, it can be used to encrypt and store files on your device storage in what seems to be a pretty secure way.

A webapp has some clear vulnerabilities with the code being served over the web (so you shouldnt be using this for any serious purposes!).

Live demo: https://dim.positive-intentions.com/?path=%2Fstory%2Fusefs--encrypted-demo

Demo code: https://github.com/positive-intentions/dim/blob/staging/src/stories/05-Hooks-useFS.stories.js

IMPORTANT NOTES TO PREVENT MISLEADING

  • this isnt a product. it provided for testing and demo.
  • it isnt reviewed or audited.
  • the "password encryption" is using a hardcoded password. id like to aim for a passwordless approach for this, but i havent considered it enough to discuss yet :)
  • this isnt aimed to replace anything like veracrypt. just to show a comparison.
  • this respository represents a webcomponent UI framework. while it holds some ideas i think are interesting, the ui framework seems like its going to be deprecated and i will be refactoring the functionality in favour of React.
3
Are Web Components better for Cybersecurity? (programming.dev)
 

Not to poke at React or any of the other popular frameworks, I'm sure they're suitable for Cybersecurity projects. They surely go through things like reviews and audits.

I'm asking from the perspective that web components are native to the browser and thus reducing what I think is called supply chain attacks (like if "npm install" introduces something it shouldn't).

Maybe the frameworks don't matter and depends on the browser/os/device it's run on?

Context: I have a p2p messaging app created with ReactJS and a separate project for a UI framework based on Lit. Both these projects can be a whole separate discussion. I was wondering if there could be any advantages to refactoring (or starting from scratch) the messaging-app to be based on the webcomponent ui framework.

Same question on Reddit with comments here. I have an answer there, but posting here in-case anything is being overlooked.

3
Are Web Components better for Cybersecurity? (programming.dev)
 

Not to poke at React or any of the other popular frameworks, I'm sure they're suitable for Cybersecurity projects. They surely go through things like reviews and audits.

I'm asking from the perspective that web components are native to the browser and thus reducing what I think is called supply chain attacks (like if "npm install" introduces something it shouldn't).

Maybe the frameworks don't matter and depends on the browser/os/device it's run on?

Context: I have a p2p messaging app created with ReactJS and a separate project for a UI framework based on Lit. Both these projects can be a whole separate discussion. I was wondering if there could be any advantages to refactoring (or starting from scratch) the messaging-app to be based on the webcomponent ui framework.

Same question on r/ExperiencedDevs with comments here. I have an answer there, but posting here in-case anything is being overlooked.

view more: next ›