Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

- When you create a collaboration link, it contains an encryption key. (You can additionally also set a password.) All messages sent to the server by collaborators are then encrypted with those. The collaboration algorithm is currently quite simple, and paragraphs are locked when editing them. In the future we'd like to use a P2P algorithm, e.g. using Y.js. [1]

- When you sign up, the page downloads a file on your PC which contains your username, and your password encrypted with a "password recovery key". When you lose your password, we send you your password recovery key and you can decrypt your password with it.

Login being broken is weird, do you see any errors?

[1]: https://github.com/airbornio/airborn/issues/15



> When you lose your password, we send you your password recovery key and you can decrypt your password with it.

Having the password recovery keys, can you decrypt user passwords? Does that matter in this scenario?


No, because the password encrypted with the password recovery key is never sent to the server. It's encrypted and downloaded entirely on the client.


then, if i format the pc or my hd breaks I can't do anything?


It is clever that you put the encryption key after the hash sign ("#") component of the collaboration URL, so it never touches your servers.


Don't trust it as a security measure though - it's very easy to read the hash data in JS and then submit it to the server.


Certainly - although the JS can also just read the document and submit that. To make sure that it isn't doing either, you'd have to read the code on GitHub.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: