I'm working on a blockchain project where I'm implementing a wallet using Django. A user logs in and get's to generate an address. Now, I want to store the user's private key/public key pair in a file locally on the user's machine every time a user generates an address, and be able to read that file again in the next session (at the user's will). I'm doing this because the app itself is a supernode of the blockchain and all users are virtual nodes. All communication between users happen through the supernode, thus the wallet functionality isn't the core function of the app.
Everything is working perfectly except I can't find a way to create files locally on the client's machine. I've perused the Django documentation but I can't seem to find anything useful (maybe I'm not looking in the right place).
Is there a way I can achieve that?
Note: I'm trying as much as possible to avoid JavaScript, and I don't want users to download/upload files manually.
Saveing data/files on the clients machine is restricted but modern browser for good (security) reason.
However there are Cookies (https://www.w3schools.com/js/js_cookies.asp, https://docs.djangoproject.com/en/3.2/topics/http/sessions/) or html5 webstorage (https://www.w3schools.com/html/html5_webstorage.asp).
Related
Last year, I developed a simple Angular-Express-SQLite based application for a local Warehouse(Logistics Hub) which was used to keep track of daily incoming and outgoing trucks with information like their weight, origin, etc. and I deployed the app on an offline desktop.
Everything went well until I came to know that the computer operator of the Warehouse resold the app to other Warehouses for a decent amount.
Now, the first Warehouse owner has contacted me again with some changes in the app with some crucial inputs as per the new guidelines from the government, I'm looking for some solution to prevent the app from getting stolen again.
I'm looking for a solution that is as light in size as possible because of the type of desktops the app runs on are way too cheap(with lowest possible configuration), hence the choice of SQLite instead of some other Database providers.
The app should be deployed in such a manner that it can't be copy-pasted from one machine to other. It could be achieved by simple, not so secure methods too as the operators aren't that tech-savvy and only know the bare minimum knowledge about Computers, like copy-paste.
So I came across a low-level workaround since I'll be the one who'd set up the application on the client machine.
While initialising the application, an encrypted entry in the database could be set up with the name of the computer by reading the environment variable using express/node.
process.env.COMPUTERNAME
Or using some other system variable unique to that particular Computer and then comparing the stored value and current value on every login.
As Joachim already said in his comment, if the App has internet access, you can check for a license-key or something similar on a server.
Perhaps something like PKG can help, which compiles your sources into a single executable file. PKG on npmjs
Is it possible to identify if the login is being made from a strange machine? Creating a list of machines recognized by login?
I have tried methods to capture data from the browser through .js, thus generating a fingerPrint but without success, because it is not possible to identify the machine if it is in a network for example.
Here's an example where Google or Microsoft do this, I logged into my account on a computer that I had never used, so I get the notification and I can administer the machines that are recognized for my login.
Is it possible to implement this without installing plug ins on the user's machine? through only my WEB application?
Examples:
you want to do something called fingerprinting. This is client side code
basically you are uniquely identifying the user, with all the possible information in which you believe is unique.
This could be a concatenation:
- using cookies
- ip address
- browser agent (which has os, and browser, and some plugins)
- java version (if installed)
- flash version (if installed)
- screen resolution
- all misc versions of information you can grab via javascript
take a look at
https://github.com/jackspirou/clientjs
https://github.com/Valve/fingerprintjs
There are couple of ways to achieve this.
If your clients are having static IPs then probably you can maintain a list of IPS (Kind of whitelist). Any other request can be treated as unintended request and you can write a logic to generate an alert. This is cumbersome method since static IP may be changed over a period of time.
If you have limited no of users, then probably you can generate a certificate and install it on clients machine. Other users who is not having the certificate can be treated as unintended users. They can't access your application since they don't have your certificate. This method is feasible only if your application is intended only for some small no of users since you need to install the certificate on your clients machine.
I'm doing a hobby project Windows 8 app in WinJS. As I'm calling an external api, which requires an api key and oauth authentication, I've got a number of keys that I need to keep "secret".
I've seen places around the web with detailed descriptions on how to get access to and also modify the source code for WinJs (and C#) apps on your computer. But I think those were in the beta/preview time frame?
My Google skills don't seem to be able to tell me if this has been fixed since, does anyone know?
If it wasn't fixed, how do people handle these situations?
Any tips and suggestions welcome :)
You have a couple options here.
Integrate Azure Mobile Services and have it do the oAuth if possible. Your keys remain secret in the cloud.
Store the main key encrypted in your WinJs application. The secret then is also encrypted and stored locally. I use https://github.com/cauld/winjs-oauth-for-twitter and have a slight revision that when I get the key back I store it in the credential manager.
Any local application compiled from any computer language can be tampered with, all you need is a debugger. If you encrypt everything I in theory can just load up a debugger, attach to the http stack library and watch the data go out (excluding even easier techniques like Fiddler to watch this data) and extract whatever I want - fairly easily. So the question is what are you trying to prevent?
If your app could be facilitated to launch a man-in-the-middle attack, you should not keep confidential data in plain form for a long time, in memory or on disk. Also, storing encrypted data locally, alongside with the algorithm and the algorithm key/hash is a recipe for security incidents.
There is no silver bullet to protect your code or data from probing by the end user (or someone who has physical access to the end user's machine), see the amount of game save editors and game trainers out there. Don't put your business logic or important data (e.g. in-app purchases) in plain text or similar, at least add some obfuscation
I'm going to build a website for file manipulations. The idea is that the user will manage to upload his files to the website, and click the "manipulate" button, then he will get the resulted file. Also the user will have to pay in accordance with the amount of files he's trying to manipulate.
The code for the file manipulation is already written in JAVA.
The thing is, some of these files will probably be truly sensitive and private, so users will not be delighted to upload to my site over the internet.
I thought about making a local version of the website, and let the user download it (the local version) to his computer (and the only access the internet will be for the payment action).
But there seem to be two problems:
When i'll decide to change anything in my website, it will not affect the local users.
The local site will be very easy to "crack" in order not to pay...
This is my first website,
do you have any suggestions of how to solve one of these 2 problems?
Thanks!
Concerning question
(1) you would have to implement some update mechanism, for example your "local web site" (which might be a .jar file containing a web server) could check over the internet if a new version is available and then download and install it (however, you should generally ask for user's permission to do so, as many users are not delighted with silently auto-updating software). Concerning question
(2) you might use some code obfuscator to make your compiled java classes more difficult to decompile, and use an encrypted SSL connection for the transactions related to payment (while checking for server certificate to avoid man-in-the-middle attacks by the end user); however any software that a user can have on its computer will be eventually cracked by somebody. Therefore, the best solution is possibly to keep all on your server, while securing as much as possible the whole: use encrypted connections with SSL for everything, or even if the files are highly sensitive, provide a public key so users can encrypt their files with GPG (or similar software) before sending them to the site, and encrypt the files to be sent back to the user by using its public key (that he/she has to provide you and that is not critical at all to be transferred over the internet). Also carefully check the security of your web server and all the software running on it, to avoid bugs that might allow somebody to hack into it. Using the encryption with GPG/public keys and only storing encrypted data on your server might be already a good protection (but you have to make sure that it is impossible to get your private key in any way!).
My company wants to make private deployment for our web application on a LAN network for a client. I want them to have access to the database since it is all their data, but I do not want them to have access to the code since it has our companies propriety and access tokens for various accounts. It would be easy to limit their access if it was on a far away server, but since they have the physical machine I am worried they could hack the hard disk.
Is there a way to encrypt my application yet still make it run normally when in operation? If yes how and what are the tools to do this? I am using Rails and Apache Passenger if it matters.
You need to find a byte code compiler. A good example is Ruby Encoder