End-to-End Encryption in the Browser and how we did it in Excalidraw (opens in new tab)

(blog.excalidraw.com)

15 pointslipis6y ago4 comments

4 comments

3 comments · 1 top-level

ubramlago6y ago· 2 in thread

Nice approach to sharing the key! I didn't know the the part after # in a URL doesn't get send to the server. Everything makes much more sense now. :D

_pius6y ago

I didn’t know the part after # in a URL doesn’t get sent to the server.

While that is technically true, please know that it is not true in a way that is meaningful for many threat models. The JavaScript running on the page can trivially detect, inspect, and log changes to the location hash.

More information here:

https://developer.mozilla.org/en-US/docs/Web/API/WindowEvent...

j-f16y ago

Isn’t this true of any client side site? If the client side JS has access to some information, it’s always possible for the server to inject custom JS that returns the data. Theoretically this setup provides little additional security but it does allow (for example) people to use a client pinned to a version they’ve verified to not leak information and collaborate without worrying about leakage. (Excalidraw developer here)

1 more reply

j / k navigate · click thread line to collapse