dustball / secretchat.site Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://secretchat.site
License: Apache License 2.0
Home Page: https://secretchat.site
License: Apache License 2.0
Hi @dustball,
A PRNG is an algorithm used to produce random-looking numbers with certain desirable statistical properties. In order for a PRNG to be cryptographically secure it must be resistant to prediction.
secretchat.site currently uses Math.random()
as a pseudo-random number generator which is not a cryptographically secure PRNG.
The PRNG is implemented in room.php
when generating an IV as follows:
function make_iv() {
var text = "";
var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
for( var i=0; i < 16; i++ )
text += possible.charAt(Math.floor(Math.random() * possible.length));
return text;
}
Link to source code: https://github.com/dustball/secretchat.site/blob/master/www/room.php#L234-L240
The PRNG is again implemented in index.php
to generate salts:
function make_salt() {
var text = "";
var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
for( var i=0; i < 16; i++ )
text += possible.charAt(Math.floor(Math.random() * possible.length));
return text;
}
Link to source code: https://github.com/dustball/secretchat.site/blob/master/www/index.php#L94-L100
You could either implement a CPRNG from a library or use the Web Crypto API.
Best regards,
Ed
The following comment claims that you do not use Google analytics in the production version, but as far as I can tell you have deployed this page without removing the analytics code snippet:
// production version will not have google analytics
https://github.com/dustball/secretchat.site/blob/master/www/index.php#L111
<?php
if (!$_SERVER['HTTPS']) {
header('Location: https://secretchat.site/');
exit;
}
You should just force HTTPS on the site and use a sameorigin header and it'd be better.
Please consider removing third party tracking software. You are better off including any necessary fonts, stylesheets, scripts, etc., in the project source.
https://secretchat.site/room/ gives a status code of 200
and
https://secretchat.site/TEST/ gives a status code of 404
I'd suggest if someone directly accesses something, you execute some server-side code.
Such as, anything that would be 403 should route to 404. Then the 404 page should have something like this:
<?php
http_response_code(404);
?>
Which makes it harder to tell whether something is truly not there, or forbidden.
Right now your IP is out in the open to anyone who pings or accesses the site. Are you worried about a DDoS or other attack on your server?
Couple issues.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.