html-vault – create self-contained HTML for password protected content

栏目: IT技术 · 发布时间: 4年前

内容简介:Create self-contained HTML pages protecting secret information. Usage:Here's anWhen called, the program requires you to enter a password. It will then generate the HTML output file. This may take a moment. Once completed, the generated

html-vault

Create self-contained HTML pages protecting secret information. Usage:

html-vault ~/Document/secret.txt protected.html

Here's an example HTML file (password is "thisisanexample")

When called, the program requires you to enter a password. It will then generate the HTML output file. This may take a moment. Once completed, the generated protected.html file is is a self-contained HTML file with the content of secret.txt embedded in a way that it can only be accessed if the password is known. You might then place this file on a hidden url for later access.

This works by using browser based crypto. A derived password is generated using 20 million rounds of PBKDF2. The secret file content is AES-CBC encrypted using this derived password.

What it can and can't do

  • The generated HTML can of course not detect if it was copied. So you cannot known if your file is in the hands of an attacker. Placing the file on a secret https URL might make this a bit more unlikely but of course cannot prevent it.

  • If the browser or OS used to view the HTML file cannot be trusted, the encryption is useless as the plain password could be logged by a keylogger for later decryption and the password might still be in memory somewhere. This also includes rogue browser extensions with full DOM access.

  • If the password it too weak, bruteforcing the content might still be viable. PBKDF2 somewhat helps and the large number of rounds was chosen to make bruteforcing more difficult.

  • A server-side attacker might modify the HTML and inject code that exfiltrates the entered password. This might be mitigated by inspecting the HTML source code prior to entering the password. The generated HTML is reasonably small to make this easy.

  • It does not authenticate the decrypted content. This would be rather useless anyway as that implies that someone was able to modify the HTML file in which case you might have bigger problems.

  • There have been no reviews yet, but the source code should be (and stay!) easy to understand.

Status

Unreviewed - use with caution. Feedback is welcome.

Requirements

  • Tested with a recent Chrome/Firefox version. Requires SubtleCrypto API.

  • Python2 or Python3 with pyCrypto

License

BSD 2-clause


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

C++标准程序库

C++标准程序库

[德] Nicolai M. Josuttis / 侯捷、孟岩 / 华中科技大学出版社 / 2002-9 / 108.00元

这本包含最新资料的完整书籍,反映出被ANSI/ISO C++语言标准规格书纳入的C++标准程序库的最新组成。更明确地说,这本书将焦点放在标准模板库身上,检验其中的容器、迭代器、仿函数和算法。读者还可以找到特殊容、字串、数值类别、国际化议题、IOStream。每一个元素都有深刻的呈现,包括其介绍、设计、运用实例、细部解说、陷阱、意想不到的危险,以及相关类别和函数的精确樯记式和定义式。一起来看看 《C++标准程序库》 这本书的介绍吧!

html转js在线工具
html转js在线工具

html转js在线工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试