cabal-desktop

cabal-desktop copied to clipboard

Might be nice to be able to generate a more user friendly short link from the share cabal button that looks like http://cabal.chat/4ae5ec168a9f6b45b9d35e3cc1d0f4e3a436000d37fae8f53b3f8dadfe8f192f that is a static page offering the latest release and a simple guide to getting up and running.

hm maybe this issue also belongs in https://github.com/cabal-club/cabal-club.github.io

it'd be cool if there was an option for grabbing just the cabal:// key as well as the combined onboarding url you mention

(the onboarding url might not be accessible in some cases e.g. when wifi-only, or the server serving the site might be dead etc)

Me and @pvh had this cool idea of a rendezvous code (which apparently @karissa had been using with dat stuff ages ago).

The idea is that you say to your friend (out-of-band), "hey, type 'picklehands' into cabal". The person already on the cabal hits "create invite" and types in "picklehands" and then their friend (not yet on the cabal) also types that in. They find each other using discovery-{channel,swarm} with that code, confirm that it's the right person (maybe a personal msg?), and then the cabal key gets shared over their connection.

This is also a great way to invite people and ensure that the key never gets leaked via the out of band medium!

I really love this idea and I think we're going to implement it on our next project at the lab too. Let me know if I can help figure this out.

If you're in a low-concern environment, the workflow might look something like:

ALICE: "hey, type /find picklehands into cabal"
ALICE joins the chat she'd like to share, and types `/offer picklehands`.
BOB: Sure thing!
    Under the hood, both cabals swarm on the key "picklehands". The onPeer callback for Alice 
    sends a cabal message and closes, ending the swarm. The onPeer callback for Bob accepts 
    the key and joins the channel.
ALICE (in chat): Welcome to the conversation, Bob!
BOB (in chat): Gee, it's nice to be here.

If you wanted a safer system, you could introduce a peer validation step but given all the other privacy-limiting properties of Cabal I probably wouldn't worry about that too much. You could also swarm on (perhaps) a time salted key to defend against attacks based on swarm name reuse. You could generate the swarm key for the user, too.

As a strategy this is reasonably safe because the swarm is very short-lived, so an attacker has to notice the swarm is happening and sneak in before the key exchange is completed. There's no persistent data, so if you're not leaving something with a weak key lying around for later attack. You only connect to one other person and you could confirm that it was them before sending anything (though that's not what I propose above).

One way to defend against accidentally giving the cabal key to a stranger is hypercore's trick of swarming on the hash of the key, so that the discovery key need not try to be hidden. The peer who wants to join can send the real key (picklehands) and then the offer-ing peer can send the cabal key.

Oh, yes, that's what I meant. :-) You're still vulnerable to a rainbow table attack with that, hence the meandering thoughts on salts.

On Sun, Aug 19, 2018, 9:30 AM Stephen Whitmore [email protected] wrote:

One way to defend against accidentally giving the cabal key to a stranger is hypercore's trick of swarming on the hash of the key, so that the discovery key need not try to be hidden. The peer who wants to join can send the real key (picklehands) and then the offer-ing peer can send the cabal key.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cabal-club/cabal-desktop/issues/66#issuecomment-414139192, or mute the thread https://github.com/notifications/unsubscribe-auth/AAALQC1qPVgUsbHsK5Fm-rJJPjijoR3bks5uSZK5gaJpZM4WCBt5 .

random {necro} aside, but the rendezvous code mentioned above has been implemented (and i think reinvented?) as whisperlinks: https://github.com/cabal-club/cabal-client/pull/63 using https://github.com/cblgh/paperslip/