Decide how to handle trust #1
Assignees
Comments
|
Update - uProxy now transparently encrypts/decrypts signaling messages, so the need for this is somewhat mitigated. Still leaving it as filed for non-uProxy usage, as it may be nice to have a more modular encryption layer. |
|
Closing as deprecated (AFAIK, this module is essentially too unreliable due to changes on the wechat side). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is more of a meta/discussion issue - as we implement more social providers, particularly over channels that are less open, we should think a bit about trust. We can either assume that users already de facto trust their social network services, and so using our provider isn't really additional risk, or we can assume that the channel is not trustworthy, and (client-side) encrypt what we communicate over it.
Encryption is appealing but it raises its own set of issues (key distribution/trust). The PGP provider (https://github.com/freedomjs/freedom-pgp-e2e) is functional and stable enough for use, modulo Firefox at the moment (freedomjs/freedom-for-firefox#33).
I think the ideal approach would be to enable encryption as a transparent layer that the developer can insert on top of perhaps any social provider. We could facilitate key distribution/verification (see https://www.npmjs.com/package/hex2words) and let the developer/user choose their space in the security/convenience spectrum.
The text was updated successfully, but these errors were encountered: