6 digit pin and in BFU state question.

GrapheneOS

xuid0 No, we certainly can't recommend using a website. The whole point of diceware is that you can use dice. Until we integrate into the OS, use dice.

xuid0

GrapheneOS so not even using the diceware site I linked then adding a word or two onto the result? That would in theory reduce or eliminate any data being caught "on the wire" so to speak.

I'm obviously confused now. I'm also using a password manager to store the secrets too (Not a Google related product). So I can bring the result up on a separate device if I need to have a peak at it again?

GrapheneOS

xuid0 What if the site turns out to be malicious, such as if the person hosting it didn't do a good job securing the server and it got compromised?

xuid0

Just so you can understand me I was provided the Diceware URL I shared by an individual on the GrapheneOS Public Matrix Channel. I appreciate that it is not recommended by GOS at all and using a physical dice is the way.

I was only asking as someone provided me the URL in the chat and I wasn't aware you even needed physical dice until today earlier. I'm sorry if I caused any upset this was not intended.

xuid0

GrapheneOS i was under the impression it was all running in the users browser when using that site but I definitely see your point. Passive listening via HTTP access logs on the site is 100% a possibility that I notice the web site owner has not mentioned. The website owner could be logging everything and a threat actor would only need to access those logs once to have a gold mine of other users generated secrets.

xuid0

I took the initiative to ask dmuth via email to reply to myself via email or to this forum post to address my concerns and just a quick reply so I can understand a few things regarding their Dicewire Generator. I as a person who uses his site would like clarified.

xuid0

I have attached an email I just received from Douglas Muth who is the website owner and developer of the code we are discussing here:

Hi,

It's probably not worth the effort for me to register on a forum to make one post, feel free to quote my entire email below. I'll answer your questions inline:

Is the website secure? Has it been breached?

It is impossible to answer those two questions 100% for pretty much any website, product, or technology--for some background on why that is, this paper is a really good read: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

But I can tell you a little about my setup--the assets are hosted in an AWS S3 Bucket and served through CloudFront which does HTTPS and handles automatic certificate rotation. My AWS account is secured with 2-factor auth as a security measure.

https://aws.amazon.com/s3/ and https://aws.amazon.com/cloudfront/ if you're not familiar with those technologies and would like to learn more about them.

Are the access logs enabled for the HTTP server your running?

No, and this by design. Passwords are serious business, and I specifically do NOT want to know who is using my Diceware app. Could it be activists in my own country? Dissidents in a third-world country? If I have logs, those logs can then be subpoenaed by my government and could potentially be used to identify users of Diceware and place their safety at risk. But if I don't keep logs, well... the government cannot take what doesn't exist. :-)

Is it recording the secrets or are they only being shown in the browser ?

The secrets are generated in the browser and are never sent across the network. You can read through my code at https://github.com/dmuth/diceware if you'd like. Random number generation is performed by the cryptographically secure random number generator that can be found at https://www.npmjs.com/package/random-number-csprng

Also, I built the app in such a way that if you clone the repo to your machine, you could run it entirely local--no Internet connection required!

Let me know if you have any more questions.

Best,

-- Doug

--
Douglas T. Muth * Philadelphia, PA, USA * he/him/his
Web: dmuth.org - GitHub: @dmuth

xuid0

The site being discussed here is: https://diceware.dmuth.org

« Previous Page