
Show HN: Airborn – Private Google Docs Alternative - twiss
https://www.airbornos.com/
======
twiss
Hi HN! I made this. It has bulk import from Google Docs ;) thanks to a feature
request from HN:
[https://news.ycombinator.com/item?id=15478479](https://news.ycombinator.com/item?id=15478479)

~~~
arkadiyt
Minor bug report: registering with a 64 character password fails. 32
characters seems to work fine.

Also a feature request: please add the ability for me to delete my
account/data from your servers.

~~~
twiss
It works fine for me with a 64 character password. Maybe the server errored
out randomly that time. What browser are you using?

If you shoot me an email with your username, I'll delete your account and
files manually.

~~~
snewman
How will you know the person emailing you is actually the owner of that
username?

~~~
twiss
I'd send an email to the email address they signed up with to confirm.

------
amenghra
Good timing with Google incorrectly flagging some Docs as abusive?
([https://motherboard.vice.com/en_us/article/zmz3yw/why-is-
my-...](https://motherboard.vice.com/en_us/article/zmz3yw/why-is-my-google-
doc-locked-terms-of-service-bug))

~~~
ttul
When you were running an operation at Google scale, the challenge of fighting
fraud is something that people who have not worked at that scale can only
imagine. These guys will also encounter fraud at some point. And when they do
so, I guarantee they will be no better at it than Google this.

~~~
amenghra
If they can't access the data, then they shouldn't be able to moderate it.

There are plenty of things on the web where you can upload data and they don't
use machine learning algorithms to decide if your content is "valid" or
"invalid". It all depends on various tradeoffs.

~~~
scientistem
Right, google drive has a big problem with public file hosting and piracy. If
the content is encrypted the safe harbor becomes trivial to preserve.

~~~
camus2
> Right, google drive has a big problem with public file hosting and piracy.

I'm pretty sure this isn't a DMCA takedown case here. Google scanned the
content of the file, didn't like it and removed access via an algorithm.
Nobody but Google knows how it works.

If the content is encrypted then it's impossible to use google docs document
viewers, editors, or collaborate online on a document directly via google doc.
It becomes just a dumb file host with no added value.

------
bengotow
This looks great! Minor nits: In what way is this an OS? Also in the US,
Airborn (e.g. to be in the air) is spelled "Airborne" and it's difficult to
type it without the trailing 'e' without spellcheck fixing it automagically.

~~~
twiss
The most significant ways in which it's a bit like an OS are

1\. It has a Window Manager (try it out in the demo, you can drag around
windows and such)

2\. It has a File System, which does encryption and compression. This makes it
so that the "apps" (documents and presentations, and in the future hopefully
spreadsheets) don't have to know anything about encryption. This made it very
easy to port the presentations app, for example.

3\. It has a Marketplace with apps (not that they are very useful).

But yeah, since many people don't seem to like the name nor the OS-like UI,
I'm considering dropping both. I'm just a bit concerned because there are many
other companies named simply Airborne or Airborn. Also, integrating documents
and presentations into a more unified UI would be a lot of work, since they're
pretty much standalone apps today.

~~~
TimTheTinker
May I suggest Air Docs?

------
carlisle_
I feel like "Even if we get hacked" as a marketing message might send the
wrong signals.

~~~
spatley
I like "even if we get hacked" With all the data breaches in the news I feel
like this is a selling point many would understand. I would even go further
and say "and even if we get subpoenaed" my 2cents

~~~
mleonhard
If you get hacked, the attacker will replace the application code. When the
user logs in again (or opens a new browser window) the modified application
code will decrypt all of their data and send it to the attacker. The
encryption provides no protection from hackers.

Protection from hackers comes only from reviewed and verified software and
hardware. The only consumer platform that comes close is iOS.

~~~
twiss
Please see
[https://www.airbornos.com/docs/security](https://www.airbornos.com/docs/security)
or [http://blog.airbornos.com/post/2017/08/03/Transparent-Web-
Ap...](http://blog.airbornos.com/post/2017/08/03/Transparent-Web-Apps-using-
Service-Worker) for a description of how we solved that.

------
krz8
To solve this, [...use Service Workers] to install some code which can't be
changed without setting off a warning to you.

How does that work? Isn't a service worker started by plain JS code?

~~~
twiss
Yes, it is, but after that, it stays installed and runs before you open the
web app the next time. In effect, this makes it trust-on-first use, just like
if you'd install a desktop app which then had some secure update mechanism.

~~~
woranl
Can service worker’s code ever be updated by the hacker? How does this
actually work?

~~~
twiss
Yes, it can, but whenever the Service Worker's code changes, the user is
warned. There's an "updatefound" event [1] which both the web page and the old
Service Worker get. I wrote a blog post with more background info at [2].

Of course, it would be better to only warn the user if the Service Worker
changes if it doesn't match the version on GitHub, but that's blocked on [3].

Furthermore, there are some very edge-case situations where the Service Worker
can update when Airborn OS is not open or not visible (e.g., in a hidden
iframe [4]). That is why, when you register and check "Notify me before
updating Airborn OS", it asks you for permission to send you notifications.
Those notifications are currently only used to warn you when the Service
Worker updates.

[1]:
[https://developer.mozilla.org/docs/Web/API/ServiceWorkerRegi...](https://developer.mozilla.org/docs/Web/API/ServiceWorkerRegistration/onupdatefound)

[2]: [http://blog.airbornos.com/post/2017/08/03/Transparent-Web-
Ap...](http://blog.airbornos.com/post/2017/08/03/Transparent-Web-Apps-using-
Service-Worker)

[3]:
[https://github.com/w3c/ServiceWorker/issues/1208](https://github.com/w3c/ServiceWorker/issues/1208)

[4]:
[https://bugs.chromium.org/p/chromium/issues/detail?id=773307](https://bugs.chromium.org/p/chromium/issues/detail?id=773307),
but it's not a browser bug. I should file a spec bug, but I'm still waiting
for a reply on [3], too.

~~~
woranl
The concept of Transparent Web Apps (TWA) is an interesting one - more so than
AirbornOS itself. Any chance of packaging it (i.e. in the form of library, or
make it as a SaaS) to promote adoption? This can enable more TWA and perhaps
pivot yourself to become the TWA hub/directory.

~~~
twiss
Yes, I'm planning to make a library for it. It won't be quite install-and-
forget, because the developer has to 1) push to GitHub or another public log
before every deploy and 2) somehow let the Service Worker know where to find
the latest version on GitHub. But it's definitely possible.

A TWA hub sounds interesting. I think that if you have a list of web apps that

1\. are a Transparent Web App

2\. have had a security audit

you could then add some UI in the browser that says "this web app keeps your
data private". That would be useful not just for apps that use client-side
encryption, but also very simple web apps, like say word counters. It's very
useful for users to know whether the word counter sends their data to the
server or not.

Of course, step 2 would be quite expensive, although for simple web apps it
would be manageable. It would have to be financed by either the web apps
themselves, or some big entity like Mozilla (which for years has had
volunteers manually check browser extensions for things like this, too).

~~~
woranl
The JavaScript trust issue will always be a concern when webcrypto is used,
and webcrypto is a web Api expected to be made broadly available across
browsers (desktop and mobile). If somehow the concept of TWA can be made easy
for developers to adopt and you pivot to handle/streamline the heavy lifting,
I think you may have a much more lucrative nitch. Think of this as VeriSign
for TWA. Wouldn’t that be cool? Someone (i.e you or Mozilla) should do this.
This really promotes the open web.

------
morganvachon
It breaks the back button (stuck in a reloading loop). That alone is enough to
make me move on, regardless of the potential privacy benefits.

~~~
twiss
Yeah, it does that in Firefox, sorry about that. It works in Chrome.

~~~
morganvachon
Hopefully you can get it fixed in other browsers. My apologies for this, but I
find it amusing that a Google services alternative works better in a Google
provided browser. :-)

------
EGreg
"We (the makers of Airborn OS) won't be able to read them even if we wanted
to."

I take such claims with a huge grain of salt on the web. YOU serve the
Javascript. YOU can change it at any time to phone home what I wrote. No point
in trying to change it with the Web alone - that's how it's designed. The
server must be trusted at all times.

~~~
twiss
Here's a description of what we've done to solve that problem:
[https://www.airbornos.com/docs/security](https://www.airbornos.com/docs/security)

~~~
EGreg
That's interesting, but you're plugging holes in a waterfall I think.

For example, that first visit which installs the service worker can already
deliver bad code.

Not saying you will do it, but it all relies on people trusting you not to do
it. So statements like "we CAN'T read your stuff" are not true on the web.
Luckily, most web users don't care about being hacked by the server - they
care about owning their own data! :)

~~~
twiss
> For example, that first visit which installs the service worker can already
> deliver bad code.

Yes, but that is also the case when you install a desktop app. That's why
Airborn OS is open source, so that you can inspect the code.

~~~
EGreg
Agreed but with a desktop app, the author can sign it and the OS verifies that
signature. Sadly the Web does no such thing with the top level document.

~~~
twiss
Yes, that's true, but the author (or intermediary-who-delivers-the-binary) can
also.. not sign it (deliver an unsigned version). Often, you don't have many
other options than to trust the binary the website is serving you.

~~~
jimktrains2
It also happens far less frequently and I can do it at my leisure, or even
just compile it on my own.

------
wybiral
As for the crypto, am I correct in seeing that it uses PBKDF2 to derive an AES
key from their password. And then it uses SJCL's encrypt/decrypt methods?

~~~
twiss
Yes, that's correct. Unless Web Crypto is available, in which case it uses
that.

~~~
mr_toad
How does password / key recovery work?

~~~
twiss
When you create an account, it downloads a file which contains

\- Your username

\- Your password, encrypted with a random key.

That random key (but not your encrypted password) is sent to the server. When
you request a password recovery, we send you a file by email which contains
that key and with which you can decrypt your password.

That way,

\- We don't have your encrypted password

\- A random person / application can't grab your password from your computer

\- We verify that it's you who wants a password recovery (by sending you an
email).

------
staticelf
Cool project, one minor thing is that the background doesn't go very well to a
wide-screen. I can see the image repeat.

------
didip
This app is making me ride the nostalgia train (circa 2005?) when AJAX was hot
shit and everyone was making cloud OS.

It has all the same elements:

* window manager

* apps

* document editor

* dock widget

I wish you all the best OP!

------
rambojazz
Can this be self-hosted?

------
gatmne
Looks really slick!

You should consider adding word support. Support for office XML formats[1] are
simple enough to hand-roll.

[1]:[https://en.wikipedia.org/wiki/Microsoft_Office_XML_formats](https://en.wikipedia.org/wiki/Microsoft_Office_XML_formats)

~~~
twiss
What extent of docx support is important, do you feel? Is just importing docx
to html (the native format) sufficient, or should they stay as docx while
editing? Should it be possible to export from html to docx?

~~~
gatmne
As an end user, I don't care what format Airborn uses internally. What matters
is that I can interact with documents and files sent to me by other people,
which are likely authored using Microsoft Office, Libreoffice, and Google
docs.

As a developer, I would ideally recommend to look into using a custom internal
representation for a document and developing converters that convert between
your representation and various formats. This way you won't be hindered by
limitations of a specific format.

However, if you lack the resources to develop and maintain these converters
yourself, look into the feasibility of leveraging LibreOffice by using a
preexisting format like WordProcessingML as an internal format. You can then
use LibreOffice to handle the conversion between the various formats you want
to support. The downside to this is that you'll eventually outgrow
WordProcessingML if you want to support futures not supported by that specific
format.

------
jimktrains2
The very premises that a hacker can't read my data is laughable. Unless I'm
using a native app to do the decryption a hacker could gain access to my data
as it leaves your server or if they can store the encryption credentials from
my session and use them later

~~~
twiss
When it leaves our server, the data is encrypted and not readable. To get your
encryption key, they would need to execute code in your browser, and we
describe how we protect against that at
[https://www.airbornos.com/docs/security](https://www.airbornos.com/docs/security).

Of course, we're only talking about when _our server_ gets hacked. If _your_
computer gets hacked, you have a problem regardless of whether you're using a
web app or a native app.

~~~
jimktrains2
> To get your encryption key, they would need to execute code in your browser,

You mean like all the javascript you're sending me?

> To solve this, we're using a relatively new web technology (Service Workers)
> to install some code which can't be changed without setting off a warning to
> you. That code then keeps taps on all other code, and checks that it matches
> the publicly available version on GitHub.

I really think you need to rethink your security here, because this just makes
me even more sure that I don't trust you. It's actually a good bit laughable.
If an attacker has access to your server, why should I believe that they
wouldn't be able to update your github repository? (Why do I know you use
different keys, don't put your private key on the server, &c?)

I have to trust you _regardless_ of any of your technology, and that's the
problem. If someone has your server, there is very little I won't put past
them to also have access too.

In sum, I think you're in for a world of hurt if you expect anyone who
actually cares about security to trust you to never, ever make any mistakes.

> Of course, we're only talking about when our server gets hacked. If your
> computer gets hacked, you have a problem regardless of whether you're using
> a web app or a native app.

You're obviously just being needlessly argumentative about this. My meaning is
obvious because of the context and the situation I described.

~~~
twiss
> If an attacker has access to your server, why should I believe that they
> wouldn't be able to update your github repository?

I don't have my GitHub password/keys on the server. Why would I have them
there?

> I have to trust you _regardless_ of any of your technology, and that's the
> problem.

Yes, but it's trust-on-first-use. There's a big difference between

1\. Trusting me today when I say that the GitHub keys are not on my server,

2\. Trusting me today when I say that I'm not sending your password to the
server, and being able to verify that by checking the code on GitHub

and

1\. Trusting me every time you open the web app

2\. Trusting me and my hosting company that I won't ever get hacked

~~~
jimktrains2
> I don't have my GitHub password/keys on the server. Why would I have them
> there?

Because you only need an SSH key to push to github and it's not uncommon for
people to leave those laying around (or to forward them with a connection!) on
a server.

The better question is not "Why would you have them there?" but "How do I know
you don't have them there?"

> Yes, but it's trust-on-first-use. There's a big difference between

You're showing a very fundamental misunderstanding of trust and security. I
trust your code every single time I load the application. I don't care what
measures you _think_ you've put into place, I will _guarantee_ you they are
not fool-proof if you have a compromised system. You're insistance that it is
is very disheartening and continues to degrade any trust I would have placed
in you.

> 1\. Trusting me today when I say that the GitHub keys are not on my server,

No, it's trust that you will never ever ever ever place them on any device you
ever own where it is accessible or that said device will never ever ever be
hacked.

> 2\. Trusting me today when I say that I'm not sending your password to the
> server, and being able to verify that by checking the code on GitHub

And when this changes? Must I audit the code every single time I load the
code? Because yes, I need to do that to ensure you havn't changed anything.

> 1\. Trusting me every time you open the web app

I still need to do this.

> 2\. Trusting me and my hosting company that I won't ever get hacked

I still need to do this too.

~~~
twiss
> And when this changes? Must I audit the code every single time I load the
> code? Because yes, I need to do that to ensure you havn't changed anything.

No. The whole point of what I've done and made is to make sure you don't have
to do this. The Service Worker checks all code that is coming from the server.
If you've opened Airborn OS before on a computer, and don't see a notification
saying that Airborn OS has been updated, it is _guaranteed_ that it's still
the same code. If it _did_ change, you get a notification with a nice link to
GitHub, where you can inspect the commits since last time. That code is
_guaranteed_ to be identical to the new code that you will be running if you
refresh Airborn OS.

~~~
jimktrains2
I'm glad you think that. I still don't trust you, nor do I trust that you will
never be breached in such a way that a malicious update will be pushed.
Everything you're saying still depends on me trusting you.

What if this is my first time loading? How do I know you're not serving up new
files that don't contain checks to be visitors?

Moreover, are you insinuating that you will never update any code and that
expect that pop up saying you've updated the code to never appear? Do you
expect people to check commits multiple times a week or a day?

So, ok, let's assume you're 100% trustworthy and a malicious actor changes the
code and I get an error. Am I now forever unable to access my documents? How
can I be sure that the code I'm running is really the code on GitHub after a
breach? How does the code prevent changes to the initial code loaded on a
request? Which could in theory manipulate the Dom before the service worker
could attempt to verify the page, if I'm understanding you correctly.

But again, this all assumes that your 100% trustworthy, and you're not. You're
just some person asking me to believe you'll never ever make a mistake or be
coerced into a malicious action.

Also I haven't seen a mention of the aes mode you're using. Your security
pages is laughably shirt given that it's literally your main selling point.

~~~
twiss
> What if this is my first time loading?

Like I said, it's trust-on-first-use. This is no different from installing a
desktop app.

> How do I know you're not serving up new files that don't contain checks to
> be visitors?

The Service Worker is installed on your own computer, and is still there the
next time you open the web app.

> How does the code prevent changes to the initial code loaded on a request?
> Which could in theory manipulate the Dom before the service worker could
> attempt to verify the page, if I'm understanding you correctly.

[https://developer.mozilla.org/docs/Web/API/Service_Worker_AP...](https://developer.mozilla.org/docs/Web/API/Service_Worker_API)

~~~
jimktrains2
You're assuming the old version of the service worker will be there and
running. That isn't a good assumption. It will normally be there, but it
doesn't have to be. There will always be circumstances where I'm downloading
it for the first time, even in the same browser and computer.

Also, step 7 on [https://w3c.github.io/ServiceWorker/#update-
algorithm](https://w3c.github.io/ServiceWorker/#update-algorithm) says that
updating the service worker bypasses the service worker. How do you then
validate that new service workers haven't been meddled with?

~~~
twiss
That's blocked on
[https://github.com/w3c/ServiceWorker/issues/1208](https://github.com/w3c/ServiceWorker/issues/1208).
However, there's also an alternative option to make updating the Service
Worker unnecessary, by making a "stub" Service Worker which downloads,
validates and executes the rest of the SW code. Then, whenever the "stub"
Service Worker updates, it's likely a breach and we can warn the user
accordingly.

~~~
jimktrains2
Code you can't update is normally an expensive liability in the case that it's
not perfect. Also, then the stub service worker is subject to the same problem
it's attempting to solve.

I'm still left in a situation where I need to trust you don't mess up.

You even say it yourself:

> (Of course, we can't prevent the update, but we can at least try to convince
> the user to close the web app before it steals their private keys.)

At that point, the game is up.

------
0x6c6f6c
Is this page not designed to handle 4K displays? The tiling background is
really not great to look at

~~~
twiss
The website is not, but when you open the app, the background should cover
your whole screen. I'll try to fix the website.

------
waytogo
One killer feature I am looking for is numbered headers/styles. Something
Google Docs still lacks and I need Word for.

------
roemerb
Pretty cool system. Considering making a VPS for this or something. Frontend
can definitely use some work though.

------
canadianwriter
Could people stop using that headline being typed out letter by letter thing?
It's annoying as hell.

------
spacetexas
You can't save as .doc or .docx so its a no go for any business. Something you
will need to fix.

------
seizeheures
Their interface is available in Esperanto. That's already a huge point for me.

------
starkruzr
I see there's source, but don't see instructions for deploying.

~~~
twiss
Yeah. While possible, Airborn OS isn't really meant to deploy yourself. If you
want that, you might be better off with nextCloud or similar. Airborn OS was
built to have a service that you don't have to self-host, while still being
just as secure as self-hosting:
[https://www.airbornos.com/docs/security](https://www.airbornos.com/docs/security)

~~~
asynchronous13
> Airborn OS was built to have a service that you don't have to self-host,
> while still being just as secure as self-hosting

This is a better tag line than what I got when I loaded the website.

~~~
twiss
Yeah, although I worry that the average user might not know what self-hosting
is, or why it is secure.

------
jeremyt
I can't register. Getting "there was an error" message.

~~~
twiss
Could you try again? It might be just the server erroring out under load.
Also, only Chrome, Firefox and Safari are supported.

------
carlhjerpe
Nicely done! :)

------
ArchReaper
Why does it have OS in the name? Is it an operating system? (This is a
question I cannot find a direct answer to on their site)

Their site makes it incredibly difficult to actually find out what this really
is.

The only text visible on my screen when the page loads are the lines "Airborn
OS", "Even if we get hacked, they can't read your documents" and "Collaborate
in real time" which tells me essentially nothing about why I'm here, what this
website is, or what you're trying to sell/advertise.

The only indication as to what this software actually does is in this Hacker
News title.

For contrast, Google Doc's homepage[1], the first two things I see are "Create
[persuasive/adjective] documents" followed by "With Google Docs, you can
write, edit, and collaborate wherever you are. For free." This tells me
basically everything I need to know, as a casual user, to understand what
Google Docs is and why I might want to use it.

I hope this doesn't come across as overly critical, just some (hopefully
helpful) feedback.

[1] [https://www.google.com/docs/about/](https://www.google.com/docs/about/)

~~~
twiss
The line that's supposed to tell you what it is is: "Create and edit f​iles
online​, securely​." Is that missing for you? (I admit it's smaller and less
noticeable than the lines you quoted. I'll try making it more prominent.)

A bit of explanation about the name here:
[https://news.ycombinator.com/item?id=15596668](https://news.ycombinator.com/item?id=15596668)

~~~
kinlan
I was confused too... Then I realised it takes about 10 seconds to appear as
you animate the text in.

~~~
tobyhinloopen
Now I see it! I scrolled already waaay down before that text appears.

Reminder to myself that animations in your essential content are dangerous

~~~
twiss
Fair enough. There's a fast-forward button for the impatient among us
(including myself), but I agree that it's non-obvious that you would need that
to read the main copy.

~~~
manigandham
If you make the user wait then the only button they'll be using is the back
button.

------
mcemilg
How they simulate the OS? It is amazing!

------
rpaulr
I just tried your demo, I think you need some improvements in your UI

------
dmitrygr
doesnt work

    
    
      .
    

Create presentation

click insert image

give it a normal 12 mpix image from my phone camera

watch image not appear on slide

try again, still no

repeat until browser tab is out of ram and crashes

image never appears on the slide

------
StanislavPetrov
The whole idea of "cloud computing" is innately terrible on virtually every
level. Those willing to entrust their data and the integrity of their data to
any third party are either not very informed or not very smart(especially
given the virtually daily reports of hacks, data breaches, and corporate
malfeasance). This is especially true for word processing, which even the
lowest capacity machines have the capability to perform without issue. If you
value your data, your intellectual property, and your ability to perform
technical tasks without disruption, you will be well-served to write all your
own papers and documents on your own computer. Store them on your own hard
drive and back them up to a flash drive that you physically control.
Entrusting your data and your capacity to work to a third party should be
avoided unless you have absolutely no other choice.

~~~
mark242
The odds of you losing your hard drive and flash drive in a house fire are
significantly higher than the odds of you losing data on S3.

~~~
StanislavPetrov
The odds of a house fire and my inability to access critical data is
significantly lower than that of a cloud malfunction like the one that
occurred today.

[https://www.washingtonpost.com/news/the-
switch/wp/2017/10/31...](https://www.washingtonpost.com/news/the-
switch/wp/2017/10/31/a-mysterious-message-is-locking-google-docs-users-out-of-
their-files/)

~~~
mark242
How many users wound up losing data because of that bug? In comparison, how
many houses were lost to fire today?

~~~
StanislavPetrov
How many people had deadlines or papers due and couldn't access their data?
Many more than couldn't hand in their papers or make their deadlines because
of a house fire.

