WideWord

edit topic

Trust points and Breach points in Web Apps

Published December 6th, 2005 edit replace rm!

I have written this article Trust points and Breach points in Web Apps, which explains much of my approach to writing secure web applications. Please comment in the actual article.

Discussion of security in WideWord

Published November 22nd, 2005 edit replace rm!

Larry posted some comments to the security in WideWord under the 5 steps to privacy in WideWord :

  1. key in URL is a structural weakness
  2. why would anyone who understands the nature of your service offering trust you not to log the things you say you won’t?
  3. What benefits does your service offer that can’t be achieved more securely by potential customers for themselves?
  4. Have you checked with a lawyer about what sorts of liability you may be exposing yourself to? Could you be held accessory if someone used your service to plan criminal acts?
  5. It looks as though you have solid technical skills, but little experience in business. Also it seems as though you haven’t subjected your ideas to much critical review.

    Good luck, I don’t think widewords.com is going to be successful in it’s current format, but I’m sure you’ll learn a lot.

He points out things that I’m sure others are questioning themselves as well. I’ve tried to address them below. (This can also be found as a comment on the document above as well).

Larry, The key in the url is a generally much safer design than found in other web applications. I protect the URL from sniffing by using SSL. I never log the key anywhere on disk. WideWord is an example of what is known amongst crypto geeks as capability security.

Where the weakness is on the users own machine and that is true. But that is true for just about any other secure system out there as well.

I believe that the approach taken here is much more secure than any password protected system, assuming the user maintains a reasonably secure computer.

You are absolutely right that the service does not offer better security than a word file stored on a local hard drive, however when you start sending this document around by email as is normally the case you start losing control over the security of your documents.

With WideWord you can also share a document with a potential partner and remove access later on, if it turns out it is necessary. Granted he can save a local copy, but still you have better document sharing security with WideWord that you do with your classic Microsoft Word/Outlook combo.

What I believe I have done here is create an easy to use system to improve security vastly for document sharing. PGP if used correctly is always better and more secure than WideWord, but must end users unfortunately hate PGP.

Concerning trust in me. When there is a so called trusted third party involved, he must at some point be trusted. Yes I could change the logging of the server, but I think most people trust that I wont. With respect to trust, you have to trust that Microsoft doesn’t read their customers hotmail accounts or that 37Signals don’t read their customers project files in Basecamp. Most people chose to trust these services with data that is private and important to them.

I see it as my goal to improve trust in web applications, to get some of the more paranoid users on board. There will always be a group of people who don’t trust anybody. PGP is perfect for them as they don’t mind taking the investment in learning it, it’s terminology and in teaching their collaborators how to use it.

What I have done is remove as many trust points as possible. There are far fewer points that you have to trust me on in WideWord, than in the above examples of Hotmail and Basecamp.

With regards to the legal issues, please have a look at my Usage Agreement. I aim to not give out information to anyone. Microsoft is not an accessory to a crime if someone uses word to plan out a heist, neither will I.

I refuse to censor any documents even if I am in disagreement People can censor comments to their own documents, that is their choice. If I am forced to help out with an investigation I will comply though.

As I hope you can see that I have thought through much of this. Most of what you mention are eagerly discussed in the crypto community, where I have been active for several years.

With regards to lawyers, I prefer not to use lawyers. I know they can be needed at times, but lawyers have time and time again killed innovation.

Thanks for your comments and I look forward to hearing more from you.

Quick overview of Security in WideWord

Published November 12th, 2005 edit replace rm!

I have written a quick overview of what I have done to make WideWord secure.

5 Steps to Privacy in WideWord

About me

Pelle gravatar 160

My name is Pelle Braendgaard. Pronounce it like Pelé the footballer (no relation). CEO of Notabene where we are building FATF Crypto Travel Rule compliance software.

Most new articles by me are posted on our blog about Crypto markets, regulation and compliance

More about me:

Current projects and startups:

Other under WideWord

Popular articles

Topics: