this post was submitted on 31 Aug 2024
168 points (98.8% liked)

Open Source

30243 readers
38 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
168
Staticrypt: Password protect a static HTML page, decrypted in-browser in JS with no dependency. No server logic needed. (github.com)
submitted 2 weeks ago* (last edited 2 weeks ago) by sag@lemm.ee to c/opensource@lemmy.ml
21 comments fedilink hide all child comments
 

HN discussion: https://news.ycombinator.com/item?id=41404064

Similar tools:

https://github.com/dividuum/html-vault

https://github.com/MaxLaumeister/PageCrypt

https://github.com/a-nau/password-protected-website-template

https://github.com/sowbug/quaid

https://github.com/mprimi/portable-secret

Thanks to @refalo@programming.dev

top 21 comments
sorted by: hot top controversial new old
[–] rtxn@lemmy.world 16 points 2 weeks ago

Clone it before the Glowy Boys declare it a weapon of mass destruction and preemptively nuke the repo.

[–] RobotToaster@mander.xyz 14 points 2 weeks ago* (last edited 2 weeks ago) (6 children)

Static

Javascript

Has someone changed the meaning of static? I've always thought it meant the opposite of Dynamic HTML

[–] SzethFriendOfNimi@lemmy.world 40 points 2 weeks ago

Static files as in static file handling in a web server no CGI, modules, server side code required.

[–] karmiclychee@sh.itjust.works 14 points 2 weeks ago

Served as "flat files" - filesystem, object store, what have you. No server logic generating content, just passing around of strings and binary data. Files are the representation are the source of truth. Counter to a web app, where the content response is ephemeral and the "source of truth" is scattered across a writeable DB and recombinated (potentially) on every request.

Interesting question though, I (a web dev) just take the term for granted.

[–] thingsiplay@beehaw.org 11 points 2 weeks ago

It depends what static refers to. In this case, it refers to static file creation without PHP (or Python) on the server. The content itself can stay static, JavaScript and its dynamic nature is just used to encrypt and decrypt.

[–] anzo@programming.dev 6 points 2 weeks ago

It's been always the same. Backend, server logic, database... dynamic content; on one hand. JavaScript runs on the browser for almost anything, sometimes for dynamic content. But it's not tied. You could have an in-browser button with a counter for the numbers of times it was pressed (that's actually an entry-level programmer exercise) and that's a static site. If you saved the counter value to the server (e.g. database) then it's not static anymore.

[–] delirious_owl@discuss.online 5 points 2 weeks ago

No, static sites are usually more js heavy because they offset all the processing to the client.

This is one reason I avoid static sites, and just heavily cache the server.

[–] ReversalHatchery@beehaw.org 3 points 2 weeks ago

I think they mean taking a static site, and encrypting that with an attached JS. It could be done with a browser extension too (probably), but that way it would be less portable

[–] refalo@programming.dev 12 points 2 weeks ago (2 children)

HN discussion: https://news.ycombinator.com/item?id=41404064

Similar tools:

https://github.com/dividuum/html-vault

https://github.com/MaxLaumeister/PageCrypt

https://github.com/a-nau/password-protected-website-template

https://github.com/sowbug/quaid

https://github.com/mprimi/portable-secret

[–] 01189998819991197253@infosec.pub 2 points 2 weeks ago

Have you used any of these? Are you able to compare you this one or to the others on your list? Maybe a better question, which one/s would you recommend?

[–] sag@lemm.ee 1 points 2 weeks ago

Thanks, Added to the post

[–] elliot_crane@lemmy.world 8 points 2 weeks ago (2 children)

This seems like a cool idea, but also somewhat questionable from a security standpoint? Isn’t distributing the encrypted content alongside the means to decrypt it (i.e. bundling this all in one file which is sent to the client) essentially equivalent to providing physical access to an encrypted drive? Like an attacker with enough time and effort could bypass the encryption.

[–] Mike1576218@lemmy.ml 12 points 2 weeks ago

It is not a problem to distribute the decryption algorithm. The question remains against what this will protect. Normal https encrypts the traffic safely during transit. With this, the data is also encrypted on the server. But if you can access the server, you can modify the javascript code to send the password back to a server.

It could be used on something like IPFS, where all data is basically public but you can be sure it hasn't been modified.

[–] CosmicTurtle0@lemmy.dbzer0.com 8 points 2 weeks ago (1 children)

Exactly. This shouldn't be used to store your taxes, for example. But it might be good if you want to post details about your baby shower without your parents getting the details.

[–] elliot_crane@lemmy.world 3 points 2 weeks ago

Yep, definitely situational depending on your risk model/tolerance; pretty cool idea nonetheless.

[–] delirious_owl@discuss.online 7 points 2 weeks ago (1 children)

Sounds like JS is a depend

[–] Deebster@programming.dev 22 points 2 weeks ago (1 children)

Well yeah, you need to do the computation somewhere and it's not doing it on the server so...

[–] delirious_owl@discuss.online 0 points 2 weeks ago (1 children)

Right, so it has a depend and it won't work for many users

[–] isVeryLoud@lemmy.ca 1 points 1 week ago (1 children)

There's no way to otherwise make this work for many users. They can use Tor if they're worried.

[–] delirious_owl@discuss.online 1 points 1 week ago

Sure there is. Don't do it in a browser.

[–] henfredemars@infosec.pub 6 points 2 weeks ago

Way cool! Might actually try it sometime.