NMI Payments β Donβt Integrate Payments Until You Read This Guide
Donβt Integrate Payments Until You Read This Guide
Promoted
i think you did a fine job designing it, but i also have to question its purpose.
The workflow needed includes 1) a web browser, 2) the service Vuash itself and 3) a messenger of choice. If one of these 3 elements break, the entire security breaks. Therefore, Id argue that using a messenger alone makes it more secure to different kinds of attacks.
Vuash doesnt ensure Integrity or Authenticity. A Man-in-the-Middle could receive the secret link, read it, create a new message and forward that new link. By doing so the Attacker has gained the knowledge of that message and is also able to modify it.
If a third party isnt able to intervene but at least to read the communication between two parties, the receiver would be able to tell if the secret message has been opened beforehand. thats good, but there are already hundreds of technologies that do just that.
With Open Whisper Systems powering apps like Signal, WhatsApp, Allo (not enabled by default) and the Facebook Messenger I'd argue that you are definitely save enough by simply sticking to these tools. I do not believe that including the 3 elements I mentioned above in 1 workflow youll make your communication any more secure. Probably quite the opposite.
@gopietz You're right, if the sender's system is compromised in a way that it leaks the link to someone else that might be interested in it, Vuash ceases to be useful.
Vuash doesn't identify who created the message or who's intended to open it either, so in that sense of the word there's indeed no authenticity and as a consequence no integrity as there's no way to compare the original intent to the end result. A way to mitigate that would be requiring a password in order to unlock the link, but that's too complicated.
I think the nice thing is if both ends are relatively safe, not suffering from sniffing and/or directed attacks, Vuash turns out to be quite useful in my experience. Even if WhatsApp and others offer end-to-end encryption β that's orders of magnitude more robust than ours β, they're not designed for the same purpose, they're meant for conversations, for keeping a history of back-and-forth dialogue. I would never *feel* secure typing credentials in a messenger app, as there are social implications in this case.
Yes, the environment around the app can make it useless, but that's how it works with most other apps as well. I use Vuash very frequently myself, and I think it works great when both parties are aware of its value and how to properly make use of it.
Not sure if I was able to clear some things up, so please let me know what you think.
@cbanowsky Thank you for the suggestion. I've added a deploy to heroku button to our github repo, so now you are just one click away from deploying vua.sh app to heroku: https://github.com/current/vuash.
Hello,
I'm the creator and designer. I'll be happy to answer questions you might have about Vuash.
The project started as a little tool for me and my colleagues to exchange wifi passwords, environment secret keys etc. during our daily job routine. There were a couple other similar services available at the time (that we knew of), but we didn't like their UI, UX and overall tech, so we decided to make our own.
The first version needed SSL to encrypt requests because the encryption was all done in the server, but since version 2.0 we don't need it anymore, as the only thing that touches the server is the already client-encrypted message. You can read more on how it works here: https://github.com/current/vuash...
Vuash is free to use, supported by donations, and open source.
Vuash
Homer Player
Vuash