New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please include the whole ascii enarmoured key on the security page #162

Open
richo opened this Issue Feb 3, 2014 · 18 comments

Comments

Projects
None yet
6 participants
@richo

richo commented Feb 3, 2014

I had a brief look at just implementing this for a PR, but it looks like your MD templates have yaml in them that gets preprocessed?

Anyway, rather than publishing your fingerprint and relying on keyservers to both be up, work and have your key, it'd be much better to either include your full ascii enarmoured key on the page, or a link to it on another https endpoint on the same domain.

Thanks for having a responsible disclosure policy in the first place.

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Feb 3, 2014

Contributor

Yup, it's pretty basic Jekyll, but there's some design considerations involved, so don't feel bad. :)

@kyungmin , basically, fitting the text linked here somewhere would be good: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAE14B43B026A673F

As @richo said, maybe just a link to another page with the raw data would be fine, or maybe some kind of footnote/popup? Thoughts?

Contributor

steveklabnik commented Feb 3, 2014

Yup, it's pretty basic Jekyll, but there's some design considerations involved, so don't feel bad. :)

@kyungmin , basically, fitting the text linked here somewhere would be good: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAE14B43B026A673F

As @richo said, maybe just a link to another page with the raw data would be fine, or maybe some kind of footnote/popup? Thoughts?

@richo

This comment has been minimized.

Show comment
Hide comment
@richo

richo Feb 3, 2014

Welp, except that you shouldn't fetch the key material via http when you go to publish it, if you want to go full tinfoil hat (I always go full tinfoil hat).

That said, it'd be fantastic to cut out an extra point of failure in the process.

richo commented Feb 3, 2014

Welp, except that you shouldn't fetch the key material via http when you go to publish it, if you want to go full tinfoil hat (I always go full tinfoil hat).

That said, it'd be fantastic to cut out an extra point of failure in the process.

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Feb 3, 2014

Contributor

Right, I just didn't want to copy/paste the huge block in here.

Contributor

steveklabnik commented Feb 3, 2014

Right, I just didn't want to copy/paste the huge block in here.

@mahmoudimus

This comment has been minimized.

Show comment
Hide comment
@mahmoudimus

mahmoudimus Feb 4, 2014

Contributor

@richo wanna take a stab at adding it?

Contributor

mahmoudimus commented Feb 4, 2014

@richo wanna take a stab at adding it?

@richo

This comment has been minimized.

Show comment
Hide comment
@richo

richo Feb 4, 2014

I can have a dig at it, but I don't really do frontend stuff, and I have exactly no idea how you want a massive monospace block of ascii enarmoured key material presented on your site.

richo commented Feb 4, 2014

I can have a dig at it, but I don't really do frontend stuff, and I have exactly no idea how you want a massive monospace block of ascii enarmoured key material presented on your site.

@mahmoudimus

This comment has been minimized.

Show comment
Hide comment
@mahmoudimus

mahmoudimus Feb 4, 2014

Contributor

@richo should we link to a gist maybe?

Contributor

mahmoudimus commented Feb 4, 2014

@richo should we link to a gist maybe?

@richo

This comment has been minimized.

Show comment
Hide comment
@richo

richo Feb 4, 2014

Oh, I've got the key no stress. The trick is working out where you want it stuck on the page :)

richo commented Feb 4, 2014

Oh, I've got the key no stress. The trick is working out where you want it stuck on the page :)

@mahmoudimus

This comment has been minimized.

Show comment
Hide comment
@mahmoudimus

mahmoudimus Feb 4, 2014

Contributor

@richo that's where I default to @dmdj03 and @kyungmin for their expertise.

Contributor

mahmoudimus commented Feb 4, 2014

@richo that's where I default to @dmdj03 and @kyungmin for their expertise.

@kyungmin

This comment has been minimized.

Show comment
Hide comment
@kyungmin

kyungmin Feb 4, 2014

Contributor

How about something like 'copy to clipboard'?
screen shot 2014-02-04 at 12 09 06 pm

@dmdj03 any thoughts? @steveklabnik would there be any issue with showing only a small portion of the armored key?

Contributor

kyungmin commented Feb 4, 2014

How about something like 'copy to clipboard'?
screen shot 2014-02-04 at 12 09 06 pm

@dmdj03 any thoughts? @steveklabnik would there be any issue with showing only a small portion of the armored key?

@richo

This comment has been minimized.

Show comment
Hide comment
@richo

richo Feb 4, 2014

Copy to flash still requires flash to interact with the system clipboard right? (Back in tinfoil hat land).

Showing the header with some JS to expand the container would be slick and practical?

screenshot

richo commented Feb 4, 2014

Copy to flash still requires flash to interact with the system clipboard right? (Back in tinfoil hat land).

Showing the header with some JS to expand the container would be slick and practical?

screenshot

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Feb 4, 2014

Contributor

would there be any issue with showing only a small portion of the armored key?

That's what the key ID already is: the point of having the armored key is that it's the entire one.

Copy to flash still requires flash to interact with the system clipboard right? (Back in tinfoil hat land).

Yup. I'd favor either expansion or a lightbox/popup.

Contributor

steveklabnik commented Feb 4, 2014

would there be any issue with showing only a small portion of the armored key?

That's what the key ID already is: the point of having the armored key is that it's the entire one.

Copy to flash still requires flash to interact with the system clipboard right? (Back in tinfoil hat land).

Yup. I'd favor either expansion or a lightbox/popup.

@kyungmin

This comment has been minimized.

Show comment
Hide comment
@kyungmin

kyungmin Feb 5, 2014

Contributor

@richo I'm not sure if I fully understand what you mean. How is copy to clipboard is not ideal? My understanding so far is: 1) all options require some JavaScript/interactivity, 2) popups or sliding panels require more clicks (click button, select to copy, close) than copy to clipboard (click button).

Contributor

kyungmin commented Feb 5, 2014

@richo I'm not sure if I fully understand what you mean. How is copy to clipboard is not ideal? My understanding so far is: 1) all options require some JavaScript/interactivity, 2) popups or sliding panels require more clicks (click button, select to copy, close) than copy to clipboard (click button).

@mjallday

This comment has been minimized.

Show comment
Hide comment
@mjallday

mjallday Feb 5, 2014

Contributor

@kyungmin I believe he's saying that copy to clipboard requires flash which is usually implemented by a 3rd party and has a poor history of security.

There does appear to be a library (http://zeroclipboard.org/) that does not require flash, I'm not sure how well it works.

Contributor

mjallday commented Feb 5, 2014

@kyungmin I believe he's saying that copy to clipboard requires flash which is usually implemented by a 3rd party and has a poor history of security.

There does appear to be a library (http://zeroclipboard.org/) that does not require flash, I'm not sure how well it works.

@richo

This comment has been minimized.

Show comment
Hide comment
@richo

richo Feb 5, 2014

@mjallday hit the nail on the head.

Zero clipboard still wants a flash applet running. Unless something drastic has changed since the last time I looked, there's no way to access the clipboard from JS, and no plans to start supporting it (Largely because of how difficult it'd be to stop people from doing nasty things with it, think about marketers keeping track of what's on your clipboard with a tracking snippit).

I agree that the popup/slide out involves more clicks, but (all things going to plan) it should be a fairly rare occurrence that someone actually needs this key, and given the target audience, security researchers, who probably don't have flash installed anyway I don't think the extra work is an issue.

The 3rd issue with the flash/clipboard option is that you still need to provide some way to get at the whole key, because if you actually make it impossible to get the key without flash installed that would be pretty bad.

richo commented Feb 5, 2014

@mjallday hit the nail on the head.

Zero clipboard still wants a flash applet running. Unless something drastic has changed since the last time I looked, there's no way to access the clipboard from JS, and no plans to start supporting it (Largely because of how difficult it'd be to stop people from doing nasty things with it, think about marketers keeping track of what's on your clipboard with a tracking snippit).

I agree that the popup/slide out involves more clicks, but (all things going to plan) it should be a fairly rare occurrence that someone actually needs this key, and given the target audience, security researchers, who probably don't have flash installed anyway I don't think the extra work is an issue.

The 3rd issue with the flash/clipboard option is that you still need to provide some way to get at the whole key, because if you actually make it impossible to get the key without flash installed that would be pretty bad.

@kyungmin

This comment has been minimized.

Show comment
Hide comment
@kyungmin

kyungmin Feb 5, 2014

Contributor

Thanks for elaborating on this! Totally makes sense. In that case, sliding panel seems like a slightly less obtrusive option to me. @dmdj03 what do you think? If you can propose a mockup, I'll make the changes.

Contributor

kyungmin commented Feb 5, 2014

Thanks for elaborating on this! Totally makes sense. In that case, sliding panel seems like a slightly less obtrusive option to me. @dmdj03 what do you think? If you can propose a mockup, I'll make the changes.

@dmdj03

This comment has been minimized.

Show comment
Hide comment
@dmdj03

dmdj03 Feb 5, 2014

We discussed doing a slider/expand since it's 1 less click for the user.

  1. click to expand
  2. select key
  3. copy

vs.

  1. close modal

dmdj03 commented Feb 5, 2014

We discussed doing a slider/expand since it's 1 less click for the user.

  1. click to expand
  2. select key
  3. copy

vs.

  1. close modal
@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Apr 15, 2014

Contributor

Why did this get closed?

Contributor

steveklabnik commented Apr 15, 2014

Why did this get closed?

@richo

This comment has been minimized.

Show comment
Hide comment
@richo

richo Apr 15, 2014

I think it got automatically closed with the merge of #156, but it still doesn't really address my issue with the full public key not being available from a trusted source.

richo commented Apr 15, 2014

I think it got automatically closed with the merge of #156, but it still doesn't really address my issue with the full public key not being available from a trusted source.

@mjallday mjallday reopened this Apr 15, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment