
Airborn: Create and edit f​iles online​, securely - raleighm
https://www.airborn.io/
======
lucideer
This looks potentially nice.

The initial assumption with these types of services is always that an
attacker, having compromised their servers, could simply inject malicious code
into the browser.

From their docs:

> _Normally, when hackers get access to your server, they can change the code
> that gets sent to customers. For example, they could make the code say "send
> your password to us". Then, even though they can't read documents
> immediately, passwords start coming in and they can soon read them._

> _To solve this, we 're using a relatively new web technology (Service
> Workers) to install some code which can't be changed without setting off a
> warning to you. That code then keeps taps on all other code, and checks that
> it matches the publicly available version on GitHub._

Interested to see how robust it is...

~~~
EGreg
That's because the Web is not secure in precisely that way.

But how would you know an app developer wasn't compromised and signed the next
version with a backdoor also?

~~~
twiss
The Service Worker doesn't simply check a signature from the developer, it
checks the source code against the version on GitHub. So, to know whether it
contains a backdoor, read the code on GitHub.

~~~
lucideer
It's similar to the keybase.io identity model (using popular services as
defacto authories). It might be overkill but it could be nice to supplement
that with a check of the repo mirrored on e.g. Bitbucket and Gitlab.

~~~
twiss
Yes, definitely. GitLab's API is very similar to GitHub's, except that it
doesn't support CORS. If that's fixed it should be pretty simple to add
support for GitLab.

------
prophesi
I like how they don't flaunt crypto terms all over the place. Calling
encrypted content "gibberish" is fun.

And I think it's a genius use-case for Service Workers. From their security
page[0]: "we're using a relatively new web technology (Service Workers) to
install some code which can't be changed without setting off a warning to you.
That code then keeps taps[sic] on all other code, and checks that it matches
the publicly available version on GitHub."

Combine this with HSTS, and you can be certain the code running hasn't been
modified by a third-party.

[0]
[https://www.airborn.io/docs/security](https://www.airborn.io/docs/security)

~~~
forapurpose
> you can be certain

To be precise: If it works as described, it makes it (a little? substantially?
orders of magnitude?) more difficult for third parties to modify the code.

"Certain" is not a word used in security, IME.

~~~
prophesi
Very true. You probably still need to trust that the developers' Github
accounts aren't compromised. I was looking at their repo[0] for this Service
Worker verification, and their "So what's the problem this solves?" section
confuses me, as it doesn't explain the how. :/

[0] [https://github.com/airbornio/signed-web-
apps](https://github.com/airbornio/signed-web-apps)

~~~
twiss
While a hacker gaining access to the developers' GitHub account would be bad,
they would still have to _actually push_ the malicious code to GitHub before
they can serve it from airborn.io. So, if people pay attention to pushes to
GitHub, this attack could still be detected (but not prevented). For
prevention, one possibility would be to require all commits to have been on
GitHub for at least 24h or so. Then, the devs would have some time to try and
get their accounts back. We don't implement that today, though.

That section attempts to explain how web apps work today, if you don't use
that library. Reading the entire thing back, I agree that the how is never
explained very well, although
[https://www.airborn.io/docs/security](https://www.airborn.io/docs/security)
does explain it.

~~~
Xeoncross
This is pretty revolutionary. Servers sending bad code is one of the biggest
set-backs to JS crypto being useful.

------
raleigh_user
You need Patrick from PriceIntelligently to analyze your pricing page. Maybe
tweet at him or Hiten Shah and see if either will help.

I'd recon they would suggest you keep 2 tiers and add a call us tier for b2b
enterprise.

I see where decently sized companies would pay a lot more than $10/month/user
to ensure their sensitive docs can't be stolen.

 __I certainly am no expert but if the product works as it seems this should
be more valuable than $100 /year/employee.

~~~
EGreg
What are their emails? Write it in an antispam way, we'd be interested also

~~~
pccampbell
patrick[at]priceintelligently[dot]com

Always happy to help where I can when it comes to pricing.

PC

~~~
raleigh_user
The man, the myth, the legend.

He’s going to roast your pricing but I’m sure you’ll grow a ton from it.

~~~
pccampbell
Ha! I do it respectfully and only backed by data though. :)

------
oftenwrong
Better headline:

"Airborn: Create and edit f​iles online​, securely​."

HN has too many submissions with single-word headlines that tell you
absolutely nothing about what you're clicking on.

~~~
raleighm
Thanks. Done.

------
iamwil
Airborn needs to charge more for their business users. If there's one common
lesson on Indie Hackers, it's that everyone (including customers) stands to
gain from charging more.

If Airborn creators on on this thread: how did you think about getting people
to pay while making the source available? It doesn't seem commonly done.

~~~
twiss
Yeah, I'll look at increasing prices. Thanks.

We're basically banking on medium-size businesses finding it more convenient
to use a hosted service, especially when it offers the same or a higher level
of security.

------
lsh123
As usual, the discussion about whether something is secure enough or not
should start from describing various attack vectors (which will be different
for different class of users). AFAIK, the airborn product tries to eliminate
an attack on its own servers / data stored on servers and in transit. While it
is a good thing but by itself it doesn't necessarily make all the users of the
product secure. In particular, they ignore attacks on the client itself,
injection on the network, and several other "offline" attack vectors (e.g.
taking pictures of user's screen). I understand the desire to make marketing
simple for end users, but I really don't think that it helps people make
rational decisions about security.

------
esseti
few questions:

\- here [0] "All documents are encrypted before they leave your computer" how
then one can collaborate as in gdocs (from the pic it seems like that)

\- what key do you use for encrypting the docs? is it the user password? if so
it can't be recoverd (as dashlane for example [1]) is this the approach?

PS: the login seems broken
[https://www.airborn.io/app](https://www.airborn.io/app)

[0][https://www.airborn.io/docs/security](https://www.airborn.io/docs/security)
[1][https://support.dashlane.com/hc/en-
us/articles/115003111325](https://support.dashlane.com/hc/en-
us/articles/115003111325)

~~~
twiss
\- When you create a collaboration link, it contains an encryption key. (You
can additionally also set a password.) All messages sent to the server by
collaborators are then encrypted with those. The collaboration algorithm is
currently quite simple, and paragraphs are locked when editing them. In the
future we'd like to use a P2P algorithm, e.g. using Y.js. [1]

\- When you sign up, the page downloads a file on your PC which contains your
username, and your password encrypted with a "password recovery key". When you
lose your password, we send you your password recovery key and you can decrypt
your password with it.

Login being broken is weird, do you see any errors?

[1]:
[https://github.com/airbornio/airborn/issues/15](https://github.com/airbornio/airborn/issues/15)

~~~
forapurpose
> When you lose your password, we send you your password recovery key and you
> can decrypt your password with it.

Having the password recovery keys, can you decrypt user passwords? Does that
matter in this scenario?

~~~
twiss
No, because the password encrypted with the password recovery key is never
sent to the server. It's encrypted and downloaded entirely on the client.

~~~
esseti
then, if i format the pc or my hd breaks I can't do anything?

------
otoburb
Great way to comply with GDPR! Also presumably reduces your data management
overhead slightly, although it seems you're still storing data on your own
systems[1]. This reminds me of SpiderOak's "No Knowledge" claim[2].

[1]
[https://www.airborn.io/docs/security](https://www.airborn.io/docs/security)

[2] [https://spideroak.com/no-knowledge/](https://spideroak.com/no-knowledge/)

~~~
twiss
Thanks! No, all data is stored either on Amazon S3 or on our servers. The way
we make sure that nobody can read your data is using encryption.

------
alehul
(Disclaimer: I don't know much at all about the current standards of
encryption)

Is this security not already standard, and not practiced by companies like
Dropbox? As a side note, I like the collaboration aspect and one-person-per-
paragraph is a pretty smart idea!

Edit: To those downvoting, sorry, I'm just curious and I think some of us were
unaware of the differences between Airborn and other services, which I've now
learned can still view your data

~~~
CGamesPlay
Most "encrypted communications" means that no unauthorized third parties can
view the data as a result of the encryption. However, even if Dropbox stores
your files encrypted, they still have the keys to those files and so could be
coerced into decrypting (them through a warrant, for example).

------
ummonk
Have you considered increasing your pricing, and adding more premium features?
As a supporter of client-side encryption in cloud apps, I really want to make
sure you have a sustainable business.
[https://training.kalzumeus.com/newsletters/archive/saas_pric...](https://training.kalzumeus.com/newsletters/archive/saas_pricing)

~~~
twiss
Yes! What kind of premium features do you have in mind?

~~~
anf
A Premium Enterprise support Platinum Plan for $500/mo can be a big seller and
allegedly the minimum expense report you can file in some large orgs [1].

1\. [https://www.kalzumeus.com/2012/08/13/doubling-saas-
revenue/](https://www.kalzumeus.com/2012/08/13/doubling-saas-revenue/)

------
udia
I just tried using this app with one of my friends and I found that editing in
real time between two people wasn't working as intended. When someone else
wrote text, the text I wrote (in a separate paragraph) would disappear.

Is anyone else seeing this? It needs a bit more polish before I could use it
for encrypted collaborative editing.

~~~
twiss
Thanks for the report, I'll look into it. But yeah, the collaboration is still
a bit rough around the edges currently.

------
chatmasta
Like others, I also like the novel service workers solution (mitigation might
be more accurate) to client side code integrity.

I’m more interested in how you handle the encryption keys. Specifically, how
does a user share a document with another? You mentioned that the “share
group” has its own private key; where is this stored?

~~~
twiss
The encryption key is in the share link, and also stored encrypted in all
collaborating users' accounts (if they have one - an account is not required
to collaborate).

~~~
chatmasta
So the user is responsible for securely transmitting the share URL? i.e.
Secrets are shared out-of-band?

It’s pretty clever, I like it. Definitely not the holy grail of client side
browser-based multiparty encryption, but you’ve found some innovative
techniques. Bravo, good luck with it.

~~~
twiss
Yep. Or, you can also set a password on the document and share that out-of-
band, if you don't trust whatever it is you use to send the URL.

------
ocdtrekkie
So I remember trying this before, and it had a 'desktop' and an app store
where you could add more apps, but right now the demo seems to be limited to
documents and presentations.

Is that a change in focus or a limitation of the demo?

~~~
twiss
Yeah. I've been focusing on office apps rather than "any apps", and I removed
the window manager based on feedback here and elsewhere that it felt too
"heavy" and unnecessary. Also, the app store was actually the Firefox OS
marketplace, which was shut down. (And to be honest, the apps in it weren't
super useful for Airbon to begin with. There weren't very many apps for
"serious work".)

Under the hood, it's theoretically still super easy to add/install apps in
Airborn, though, and Firefox OS's marketplace server is open source, so maybe
in the future?

~~~
ocdtrekkie
I can agree with that, the window manager was really neat (as I've always
indicated these sorts of cloud platforms are like virtual OSes), but probably
didn't add much to usability.

Performance seems really smooth, I'm glad to see this is still coming along
quite nicely.

Even if it isn't the best UI, I think you really do still need to get
something like EtherCalc on here, even for personal use, I love spreadsheets
for storing structured information, and for business users, it's almost
definitely a need.

------
CGamesPlay
Interesting strategy to list updating the software as a premium feature. Will
you make old versions of the software permanently available to customers to
install on new devices? Will you support your v1 API forever?

~~~
twiss
Non-business accounts update to the latest version automatically. If you login
to an old non-updated account using a new device, you get the old version. We
might eventually notify old accounts that they have to update, but we haven't
needed to do so yet. If you pay close attention to the requests by
[https://www.airborn.io/demo](https://www.airborn.io/demo), you can see "v2"
:)

------
mapgrep
On the document editor, is it just me or are you missing a blockquote control?

Also, is there a reason you're using inline styles to do italics and bold
instead of the specific tags for those things?

(Deleted question you answered downthread.)

~~~
twiss
You can create a blockquote element by pressing Tab, although it won't have
any special styling. If you want, you could add some CSS in Raw view. I'll
look into making a control for this specifically, although IIRC browser
support for blockquotes in contenteditable is a bit inconsistent.

Regarding inline styles, I don't remember why, sorry. It might again have been
to fix some inconsistency between browsers.

~~~
mapgrep
Thanks for the information. FWIW my main issue with inline styles is, my use
case would be taking the HTML into another system, and the more pervasive the
inline styles are, the more likely they are to override our the desired
styling contained in stylesheets produced by that system. They may help your
product work better on purely its own terms but they are (IMO) highly
suboptimal when HTML leaves your system and travels.

------
geekamongus
This made the rounds on Reddit a few months ago, and it was called airbornOS
back then. Glad to see they dropped the "OS" part, as it really isn't an OS.

------
amelius
> Even if we get hacked​, they can​'​t read your documents.

Unless e.g. they make the system serve up malicious javascript.

~~~
twiss
Please see
[https://www.airborn.io/docs/security](https://www.airborn.io/docs/security)
for a description of how we solved that :)

------
woranl
Does Airborn have paying customers? How important is the issue that they are
trying to fix?

------
joewee
Is there a open source alternative to this? Something I could deploy on my own
server?

------
mychael
Nice idea, but the design of this leaves a lot to be desired.

~~~
twiss
Do you have some more specific criticism on the design?

------
arnarbi
How are encryption keys established between the clients?

------
Invictus0
Is Google Docs not secure enough already? I haven't heard of any hacks on that
platform. What additional features are offered here besides security?

~~~
michaelgrafl
Google can read your documents, if I understand correctly. Airborn can't.

Whether that's important to you, only you can judge.

