Posts by justin@ser.endipito.us
(DIR) Post #ASBo2L4VwyFlxm6idk by justin@ser.endipito.us
2023-01-31T03:20:31Z
3 likes, 1 repeats
@alex I'm experimenting with some end-to-end encryption ideas applied to Fediverse tech. I roughed out the concepts last month (essentially just applying Olm libraries to structures that work with ActivityPub). Now I'm building out the underlying platform (Rust and Svelte) to put things in to practice.
(DIR) Post #ASBoTIGgTxrp5PeX6O by justin@ser.endipito.us
2022-11-21T05:07:54Z
1 likes, 0 repeats
Here's the E2E secure messaging Mastodon App I've been working on for the last few evenings: https://gitlab.com/justindthomas/secureline/It's still just a PoC, so don't try to use it for anything important. The basic functionality works (authentication to Mastodon, key exchange, encryption of messages, sending and receiving DMs), so I didn't want to delay putting it out there.It's a #wasm app built fully in #rustlang using the #yew framework (my first experience with Yew and WASM).
(DIR) Post #ASBoTPfOySnY26Gs6K by justin@ser.endipito.us
2022-11-21T05:11:13Z
0 likes, 0 repeats
The app can effectively be run fully on your local machine. And in fact, that's how the oauth callbacks are currently configured. All of the encryption happens in the browser and keys are held in the LocalStorage therein (encrypted using the ChaCha20-Poly1305 AEAD algorithm in the Orion library). KEX is likewise handled with the same library using x25519.
(DIR) Post #ASBoTcM1no1dNmJ5Cy by justin@ser.endipito.us
2022-11-21T05:14:24Z
0 likes, 0 repeats
I had to make some adjustments to the Orion structs to allow me to hold the asymmetric keys while negotiation takes place. They're intended to be used in a more synchronous scenario where the request and response happen rapidly, rather than via asynchronous messaging. I think I'm still acting responsibly with the mechanism (i.e., only using the asymmetric keys once and then discarding them), but I'm certainly open to correction.
(DIR) Post #ASBoTmftQnrDOHg5Ym by justin@ser.endipito.us
2022-11-21T05:16:21Z
0 likes, 0 repeats
Once I've worked out the biggest, ugliest bugs (there are many), and improved the interactivity, I'll put up a server with it running at https://secureline.io. All of the encryption will still happen locally to the browser, but the server will make it easier to access.
(DIR) Post #ASBoTzE0lmHMJZjVPE by justin@ser.endipito.us
2022-11-21T05:24:33Z
0 likes, 0 repeats
Also, I made one compromise I'm not thrilled about by leveraging the local SessionStore to hold the passphrase-derived key entered at "login" (I put that in quotes because it's not really a login - it's just the input field used to decrypt the local configuration). Because the Oauth negotiation bounces out to the Mastodon server and back, using the session makes things a lot more user-friendly. But it's not strictly necessary and a paranoid user could strip that out if they wanted.
(DIR) Post #ASBqGz1CQVC7okfRtg by justin@ser.endipito.us
2023-01-31T03:29:04Z
3 likes, 0 repeats
@alex Nice, I will! I'll open the repos soon, too. I'm excited about the model I'm building on - all the privacy components are contained in WASM modules that can be imported and re-used in whatever ways someone might want. I'm trying to focus on building to enable other folks to make things look nice and to reduce their backend work.
(DIR) Post #ASCJstOwejbe4VCev2 by justin@ser.endipito.us
2023-01-31T03:14:10Z
0 likes, 1 repeats
There's something enjoyable about watching the logs of something you've built operating as it's supposed to. Here I'm just exercising the infinite scrolling I added to my timeline this weekend.
(DIR) Post #ATzTHfXbMi8l3gBr6G by justin@ser.endipito.us
2023-03-25T23:40:09Z
1 likes, 0 repeats
@fediforum I'm building a Fediverse server on Rust and Svelte with native end-to-end encryption built-in facilitated by wasm modules: https://gitlab.com/enigmatickStill early, but ActivityPub works (I can receive and send posts, etc.) And the E2EE is framed out for 1:1 direct messages with a very basic UI implementation built.
(DIR) Post #ATzW9fDeydaRbfjlCK by justin@ser.endipito.us
2023-03-26T00:28:03Z
1 likes, 1 repeats
@silverpill I have the beginning of a diagrammatic overview of the structs involved, but I need to spend more time writing up the details.It's nothing particularly novel (as encryption really should not be). Just Olm with an ActivityPub overlay.
(DIR) Post #ATzcQ8wQq1Hm98v6Js by justin@ser.endipito.us
2023-03-26T01:03:35Z
0 likes, 0 repeats
@silverpill I have the WASM code for that split off in the 'olm' folder at the GitLab organization. It could probably be reused for other projects.The reason it's split off as its own module is that it requires x25519-dalek which in turn requires an old version of zeroize that doesn't play well with any reasonably modern version of the rsa crate I use for signing in the 'enigmatick_wasm' module.
(DIR) Post #AZPZG4lNCn2FcgzGKm by justin@ser.endipito.us
2023-09-04T03:43:18Z
1 likes, 1 repeats
Successfully sent a message from my local #SofaPub server to myself at infosec.exchange. The command I used was:cat ./hello_world.json | sofapub post https://infosec.exchange/inboxThe JSON file is just an ActivityPub Create message I created by hand in Emacs.Also uploaded sofapub to crates.io. You can install it with `cargo install sofapub` and run the executable right away. I'll update the documentation shortly to align with that usage.#Rust #ActivityPub
(DIR) Post #AZRoYTCJQCiV9YIBhw by justin@ser.endipito.us
2023-09-05T05:22:26Z
0 likes, 0 repeats
@silverpill Thanks for the suggestion. I see a ton of Delete messages from Mastodon that seem to rely on the RsaSignature2017 signatures. Or maybe those are superfluous and they'll work with just the HTTP signature - I'll test that.
(DIR) Post #AZY8CQ1O1Tz0IFcXpY by justin@ser.endipito.us
2023-09-07T19:44:56Z
0 likes, 1 repeats
Switching from Apache to Varnish has definitely made a big difference in performance for my Serendipitous server. Mastodon is pretty noisy and a simple thing like changing my profile summary (which generates 700+ external connections pretty much instantly) was enough to overwhelm the Apache reverse proxy server. Varnish (using Hitch for TLS) handles it with aplomb.#varnish #mastoadmins
(DIR) Post #AZYsKBQyZliZW316CO by justin@ser.endipito.us
2023-09-08T15:35:05Z
0 likes, 0 repeats
@selea In the end, the VCL is really simple:```backend mastodon { .host = "10.10.10.10"; .port = "80";}sub vcl_recv { if (req.http.upgrade ~ "(?i)websocket") { return (pipe); } if (req.http.host == "ser.endipito.us") { set req.backend_hint = mastodon; }}sub vcl_pipe { if (req.http.upgrade) { set bereq.http.upgrade = req.http.upgrade; set bereq.http.connection = req.http.connection; }}```
(DIR) Post #AZg53mntCV3AHwdGhE by justin@ser.endipito.us
2023-09-11T18:11:07Z
1 likes, 1 repeats
In about 16 commands, I demonstrate installing #SofaPub, creating a new identity, responding to an external Follow request, sending a new Note ("Status" in Mastodon parlance), and then deleting everything from the remote server.Everything in SofaPub is done from the command-line. I describe a couple of steps taken from the Serendipitous web interface to facilitate the interaction.Network/DNS configuration (with TLS) is in place prior to this sequence.https://gitlab.com/-/snippets/3596125#activitypub
(DIR) Post #AaTwCeZG42jsBPrYSe by justin@ser.endipito.us
2023-10-06T04:13:59Z
2 likes, 3 repeats
One of the challenges that I'm working on is empowering people with consumer-class internet access (i.e., dynamic addresses) to run their own Fediverse servers. The Publish/Publisher and websocket components I've added to #SofaPub move in that direction.This allows someone with broad connectivity to re-publish connections from users who are more limited.This is a big addition and I haven't published it to crates.io yet. But the code is at https://gitlab.com/justindthomas/sofapub.#ActivityPub #Rust
(DIR) Post #AaTzHjIuBLwEBOKHFQ by justin@ser.endipito.us
2023-10-06T04:51:40Z
0 likes, 0 repeats
@freemo there's a lot that can be done statically: webfinger, collections (followers, following), user profiles, outbox. I can see how that would be useful for folks. Have you written up your methods?
(DIR) Post #AaiIIlBguu8rN5tGeO by justin@ser.endipito.us
2023-09-28T13:01:20Z
1 likes, 1 repeats
An article discussing the progress of measure 110 - that decriminalized most drugs - in my home state of Oregon.https://ktvz.com/news/crime-courts/2023/09/27/is-measure-110-one-of-oregons-most-controversial-measures-ever-working-after-nearly-3-years/"Dying" seems like a sufficient consequence to me. Periodic physical abuse by government agents was always an unnecessary and morally dubious "consequence."
(DIR) Post #AayDOxTlslP660vwq8 by justin@ser.endipito.us
2023-10-20T18:40:18Z
0 likes, 1 repeats
And I thought the ActivityPub specification was looser than I prefer. Have you seen the 'whois' RFC? "Get some text over port 43 and send some text back."https://www.rfc-editor.org/rfc/rfc3912