Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure text collaboration platforms

Michael Rogers michael at briarproject.org
Wed Oct 3 05:10:28 PDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sam,

On 03/10/12 10:25, Sam de Silva wrote:
> Can someone help me out - Is http://www.piratepad.net secure? I
> thought it was, but I can't seem to access it via SSL.

As far as I know, the pad software used by PiratePad and similar
services doesn't support SSL. It might be possible to combine the
software with stunnel (http://stunnel.org) to add SSL support, but I
haven't heard of anyone trying it.

> It'll also be really useful to know of 'piratepad' type platforms
> that are secure, and there's controls over deleting the
> collaborative pads/docs.

Etherpad Lite has an HTTP API that can be used to delete pads:
https://github.com/Pita/etherpad-lite/blob/master/doc/api/http_api.md

There's been some discussion about making the same functionality
available through a dashboard, but I don't think that's happened yet:
https://github.com/Pita/etherpad-lite/issues/192

There are a couple of other security issues you might want to
consider. First, the pad server (and anyone who hacks into the server)
can read and modify any pad. No server is completely secure, so it's
worth considering whether the pad server you're using contains
valuable enough information to be worth someone's while to hack into.

Second, if you create a named pad with Etherpad Lite, anyone who can
guess the pad's name can access the pad. If you create an unnamed pad,
a name is generated using Javascript's Math.random() function, which
is not a strong source of randomness, so it might be possible for an
attacker to guess the random name and access the pad.

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQbCs0AAoJEBEET9GfxSfMgKEH/1rGH6GNm0DpDO6lnFJnTBvH
kEnNSjU3b5BuYIw39wYfG3GE3sOsFuTnt0/KMWGB9M+FXqpNo08Yt3HXUfv2Lii0
eIm9JOLb1/CfmnCyCnVgkYKs2vORQmolAMSu+pqxuY1hb4GwfLRG+uY5wu6jA4fc
CpdFz8ylPmoEfptbIpAhvuh2t2QAPcOvHKSs3xA4hafeDLXG7mebmG7Rbft+gs9G
v8w4NMxrXiKoB6v7kR7ZOO7Jr1uRLUMn6prhVS+99v46QPyxGZDjiXO+VRohC2DG
LsqkgyhdGY8a1FXVeUAKVc0YTud4I1E1d135TqqpE9DsFmh/QgEP2QSk/XZl1zg=
=bWOj
-----END PGP SIGNATURE-----



More information about the liberationtech mailing list