-
-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assuring people that data does not get sent to server or stored anywhere #5
Comments
Hey. Yes, it is true that everything is done in the browser and nothing is sent over the network. One reason why I haven't tried to make a statement about it on the website is that a statement might make have the opposite effect if you are not technical enough to verify the claim yourself. I have tried to make it easy to verify yourself with the following design choices:
So I would encourage you to inspect the source code and make a determination yourself. Perhaps we can use this issue as a thread where anyone can report their own conclusion on the safety of 2fa-qr? Anyone should feel free to do this themselves and post a comment here that says something like the following:
Of course if you don't think it is safe or want to add other information, please do so. It is just an idea. But be sure to include the commit hash since I will be pushing more changes to the repo. Finally, even if this project was sending data to another server, it would only have your second factor and not your primary credentials (username and password). The project also aims to be a bit educational by demystifying the QR code data. So for those that want to be extra safe, you can generate your QR codes without a web browser, e.g. using the qrencode cli program.
And then you open Another idea is to load the page and then go offline and generate your QR codes. But this is not guaranteed to work since the script could be storing data in localStorage and then send it later when you reconnect to the internet. I would recommend that people start using a password manager that has TOTP support. My personal recommendation is KeePassXC. Because of this, I haven't actually used 2fa-qr in years, but I think it is a very neat little helper still so I have kept maintaining it and recently I even cleaned up the code a lot. I am planning on adding one more feature to it soon too. Anyway.. best thing is to try to verify the safety yourself. And if you do then feel free to sign off on it like I suggested above. Maybe get some other people to also check it out and have them sign off too. Thanks for kicking that off, I guess. :) |
Another point that I forgot to mention is that the page has a Line 10 in 4156199
So if this page was sending your credentials somewhere, it would have to be to one of the domains listed in this tag. I will soon remove jquery so that will reduce the list a little bit. I think the only other way to reduce the list would to remove the Roboto font which is only used for the "In the Google Authenticator app, it will look something like this:" preview. You can try this by downloading the file yourself and then trying to add an |
Thanks for the write-up, this is all quite interesting. I think you should put this (or with a slight rewrite) on the project's README, so it appears on the front page. I like the way you approach the discussion... make no claim, let people check things and decide. So I could see a README like this: Things you need to check to ensure this script doesn't save any data, doesn't store anything, and isn't being intercepted anywhere:1. check the 150 lines of the single file js2. check the 2 dependencies3. Check the CDNs serving those dependenciesYou can use your text from above to provide those 3 explanations. Then on the site, add the notice in the same tone: This way, without making any claim, you're telling people what they need to know, and how to check if they're paranoid. What do you think? |
I adapted this work to run offline: https://www.npmjs.com/package/oathqr |
Hi @vhscom. Thanks for sharing your fork. I feel like I must point out a few things though. You state:
You have added a copyright statement in your README. GPLv3 derivatives require attribution so you are required to have a line there with my name. And in the page you replaced "Made by Stefan Sundin" with "Made by VHS", and I would again insist that you keep my name there. It would have been nice if you had continued your git commits on top of mine. When I push future updates to this repository then people are not able to see where you forked off from. Finally, you claim that the fork is somehow more secure? No one can really audit the minified JavaScript that your version compiles everything to. And if someone decides to run the development version, it is very difficult to audit all of the dependencies (the lock file is over 2000 lines long). Pulling in hundreds of dependencies introduces a huge amount of possible supply chain attacks. I would argue that this is an impossible environment to guarantee anything in. Even you would have a hard time accounting for every line of code that runs in the users web browser in the end. At the very least I would recommend that you disable all minification and obfuscation in the build. |
Hi Stefan. Thanks for reviewing the README. I've updated it based on your feedback. I believe you will find the adjustments to your liking. I don't want to nitpick too much over specific verbiage so I just did a slash and burn on the stuff you may have found offensive. Note I built my work using yours as a source of design inspiration to create a transformative work that runs offline. If you look closely at the source you will see there are no substantial parts of your code in my work. In other words, it's not a fork. So suggesting I "replaced" your name is a misleading statement at its best. That would be like suggesting a complete rewrite of TodoMVC written in Vue was somehow the copyright of an earlier version written in React. However, because I want you to continue writing GPL work have a nice day here's my offer... Because I may have incorrectly described my app as my derivative (or "modified" work using GPL vernacular) work, if you wish to challenge my statements above I can make a mirror of my work on GitHub and you can take it up with GH legal team. I'm actually genuinely curious where they might draw the line. If they decide after I rebuttle my work infringes on yours, I will add your name a second time, this time with with a copyright line, to my README.
I do not make claims about security on the Internet. |
While I get this sentiment, it is not entirely true. The user interface is exactly the same, most of the strings are copied word by word. The presentation and the way it functions is a substantial part of the work. But fair enough.
I just wanted to help correct some things that I thought were incorrect. There is no need to blow this out of proportions. Please take a deep breath.
GitHub has nothing to do with this. They would just tell you to go to the courts. I don't want to do that and have no intention of doing that. There is no need to do that. We're adults and we can have a discussion about this without the need to escalate things.
By writing that there was a vulnerability in the original work, you kinda did. You may have read my post in a more negative tone than I wrote it in. I am very happy that you decided to share your work, and I think everyone who reads this would agree with me that it makes the world a better place to have more implementations of this idea. All I wanted to do was to improve your work by pointing out some things. You should be happy about that. There is no need to get upset. Anyway, please have a good rest of your day. |
You brought up some good points and I value that. I made you an offer to put you in control as I disagree with your statement regarding your copyright over a layout and a couple snippets of text. What you choose to do with that is up to you. Cheers and thanks again for the inspiration. |
Ok, you need to stop deleting and resubmitting your post. It's making my email notifications sad. Use the edit feature. I don't really care about your project any more. Let's just stop this discussion here. I'm more concerned now that this discussion issue has been completely derailed and I better just close it. If anyone wants to continue the discussion on the original topic, please open a new issue instead so we can start from a blank slate. And if someone wants to advertise their transformative work here, then please don't hijack existing topics. |
Hey there, thanks for your project! 馃帀
Can you please confirm that this is just client-side javascript, and that no data gets sent to any server anywhere, and no data is stored after use?
If true, my suggestion is to write that up on the screen for users to see plainly. Many people use this to avoid the Google server. And people who use 2FA are often a bit paranoid 馃槄 . Having that assurance in plain sight, and that link to the source code that you already have, so that the claim can be checked, would be perfect 馃憣
Thanks!
The text was updated successfully, but these errors were encountered: