
SpiderOak Encryptr – Zero-Knowledge Password Syncing - njaremko
https://github.com/SpiderOak/Encryptr
======
d_theorist

        Requirements:
            Node and npm - http://nodejs.org/
                Node package manager for the Cordova CLI and Grunt
            Cordova CLI - https://github.com/apache/cordova-cli/
                Cordova / PhoneGap command line interface
                npm install -g cordova
            Grunt - http://gruntjs.com/
                Build tool for minimising, running and tests
                npm install -g grunt-cli
            PhantomJS - http://phantomjs.org/
                Headless webkit for running tests
            Cordova-icon and Cordova-splash - https://github.com/AlexDisler/cordova-icon/ and https://github.com/AlexDisler/cordova-splash/
                npm install -g cordova-icon and npm install cordova-splash
    
    

Nope. Nope nope nope.

~~~
Karunamon
I'm not clear on what exactly your problem is here.

~~~
wyager
Not that guy, but that's a ridiculously bloated set of requirements.

~~~
Karunamon
The language it's written in, the testing framework, and the support library
that lets it target more platforms? That doesn't seem too bloated to me.

~~~
pritambaral
> That doesn't seem too bloated to me.

For a security software? It may not be too bloated for a web app, but for a
piece of security software it is absolutely bloated.

Note: I'm not talking from a utility point-of-view, that "C'mon, writing a
security-related app doesn't have to use so much stuff".

I'm talking from a safety point-of-view, that "Security stuff should
absolutely not have such a large code footprint".

------
y7
I was slightly puzzled what they meant by "zero-knowledge encryption", but
after looking around a bit it looks to be more of a buzzword than really
related to zero-knowledge proofs (besides them using SRP for password
validation). As far as I know, all password managers like Lastpass, 1Password,
etc. use client-side encryption of data. Does this do anything new?

~~~
bascule
Yeah, it's puzzling why SpiderOak persists in using the term "zero knowledge"
to mean something entirely different from ZKPs. As far as I can tell they're
the only ones doing this too.

Especially with zkSNARKs and practical applications like Zcash, all I can
think this will accomplish is confusing people.

~~~
schoen
They tried to coin a new (unrelated) sense of this term about two years ago in
order to try to explain services where the service provider doesn't have
access to your data. I agree that it's confusing because of the much more
clearly established technical term with a different meaning, and I don't think
SpiderOak's sense has caught on outside of the company.

Can anyone suggest a better term? Some people like "end-to-end encrypted" even
in this context, but that doesn't really make sense for data at rest, which is
almost all of what SpiderOak's products deal with.

Edit: SpiderOak has had a _super_ -hard time marketing their privacy features
to people who aren't already familiar with the fairly stark distinctions in
play in different access models. I'm sure they would appreciate if someone
came up with a straightforward way to explain "products where the service
provider doesn't have access to your data, and can't get access without your
help in any circumstances because of technical constraints".

~~~
d_theorist
Steve Gibson calls this type of design "Trust No One" (TNO), which I quite
like.

But I think "end-to-end encrypted" is fine and has caught on with the public
to some extent.

~~~
chongli
Of course, you can't really get to "Trust No One" level unless you build your
own computer by hand and write its entire software stack from scratch. It's
kind of an arbitrary distinction, otherwise.

------
SloopJon
I'm a little confused by this. The project page makes it sound like someone's
weekend project, complete with a donation link, but in fact it seems to be the
client for one of SpiderOak's products.

In any case, I'm having fun reading about some of the projects used to build
this, including Crypton. Will this work with any Crypton server, or is it
somehow tied to SpiderOak?

Edit: "I am happy to announce that SpiderOak has acquired Encryptr"
(blogs.devgeeks.org).

~~~
ekrizzle
Yes, Encryptr and Crypton (the framework and server) are both fully open, in
that you can run with your own server. SpiderOak also provides a public free
server.
[https://github.com/SpiderOak/crypton](https://github.com/SpiderOak/crypton)
\- Erin @ SpiderOak

------
aorth
I prefer pass, which uses GPG and regular bash scripts to store passwords. You
can sync the directory of encrypted passwords via git too. No fancy stuff.

[https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
jjnoakes
What is the easiest way to access such a store from a phone?

Assume I have synchronized the encrypted files myself.

~~~
rhyzomatic
For Android: Password Store! [https://github.com/zeapo/Android-Password-
Store](https://github.com/zeapo/Android-Password-Store) It's on F-Droid (not
sure about Google Play) and it works really well. You need another app to
manage your keys, but there is OpenKeyChain for that (also on F-Droid).

------
JshWright

        Latest commit 5fdc936  on Dec 18, 2015
    

Is this still an active project? 4 months is a long time to pass without a
commit published.

~~~
nitrogen
Sometimes software is just "done", you know, or only needs updates every few
years.

~~~
dsp1234
That there are 93 issues including what appear to be UI issues implies that
this project is probably not in that category though.

------
abhv
I am an academic who works on zero-knowledge proofs; as far as I can tell,
this system has _nothing_ to do with the Turing-award winning concept of
"zero-knowledge." Based on the information on the website, my opinion is that
the author is gratuitously appropriating the term "zero-knowledge" here.

------
rkeene2
WebPass ( [https://webpass.rkeene.org/](https://webpass.rkeene.org/) ) is
similar -- its syncing is done by encrypting the list of sites (note that
passwords are never stored or encrypted) and sending that from one client to
another (no server ever stores the encrypteed list of sites).

It's also an iOS/Chrome webapp so it will act like a native app in some ways.

It's also a single JavaScript file which isn't too heavy. The sync'ing is done
by a simple process that reads what another client writes implemented as a CGI
talking over a FIFO.

------
ikeboy
Previously:
[https://news.ycombinator.com/item?id=9976158](https://news.ycombinator.com/item?id=9976158)

