Remix.run Logo
Brisk4t 7 hours ago

Thanks for the detailed feedback! Glad you liked the idea.

A lot of these are me not updating the Readme often enough :p I'll be updating it based on your feedback but I'll also address the points here.

1. It used to be the AES key but I switched to storing the pubkey and local private key, its encrypted with a hardcoded credential even in "passwordless" mode and uses the same encryption scheme as 2.

2. Yup its salted. I'll look into Argon2id, should be a trivial change.

3. Pasted strings are sent as a bulk packet (200 chars at a time + overhead), the gif demo is me typing + pasting so it isn't very obvious. I do agree that typed passwords are still susceptible to the length check, sending noise like you mentioned sounds like a good plan.

4,5. Yeah another readme thing, it is indeed AES-256-GCM. I've considered replay protection but for now I think the tradeoff for managing senders easily just based on pubkey is worth because of the next point

6. Readme moment pt.3 :p, the key is generated from the stored ECDH credentials each time along with a session-specific salt (so replay attacks are only possible within the same session).

Let me know if you have any more ideas though, I'm currently working on the FIDO support but I'll definitely work on your suggestions!