DynaCrypt: Client-side Encryption via Chrome Plugin

Hi all,
I have been hacking this weekend and got a prototype for client side encryption via a chrome plugin ready.
Disclaimer:
I do not take any responsibility for the security of this extension or any data loss due to bugs or mishandling of passwords.
The extension is NOT production ready and has still to be through-roughly tested.

How it works:
It hijacks the XHR communication between the dynalist client and the dynalist server. All outgoing items are encrypted, all incoming items are decrypted.

What is still missing

  • Quick Dynalist support
  • Support for bookmarks / document names
  • Support for shared documents
  • Support for dates in google calendar
  • … something else?

The code is open-source and I would appreciate if a security expert could have a look :slight_smile:

You can get the extension here (download the crx file): https://github.com/timediv/DynaCrypt/releases/tag/1.0

Any feedback welcome :slight_smile: I would appreciate if some of you could test this out with some test accounts and try to find failure cases.

Just set your encryption password
image
Then everything should look like normal Dynalist, but all new items are being encrypted.

If you deactivate the plugin you will see just this

With the plugin activated you will see the true content and everybody else (including the server and any hackers) will still see the above.
image

Also see




4 Likes

I’d love to try it out. But doesn’t seem to work with the Brave browser

As far as I know the brave browser is chromium based and has a similar feature set. Where does the installation / use fail? Any console output?

I just tried it out, you can:

  1. Download the zip from github
  2. Unpack it somewhere
  3. Go to brave extensions
  4. Enable developer mode
  5. Select unpacked extension directory

You are good to go with brave :slight_smile:

Very impressive!

1 Like

Thank you, the installation worked.
But it seems like I cant set my password?
What should happen after I click “set password”?

Are you clicking the extension while being on dynalist.io ? Then after typing the password and selecting “set password” the page should refresh. Are you on the latest brave browser?

If it doesn’t refresh please open View > Developer > Javascript Console and send me the errors.

It does not refresh and it is the latest browser.

Do these help?

DevTools failed to load SourceMap: Could not load content for chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/sourcemaps/contentscript.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME
DevTools failed to load SourceMap: Could not load content for chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/sourcemaps/inpage.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/js/ext/jquery.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/libs/raven.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/js/ext/ext.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/css/theme_scifi.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/css/app.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/css/print.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/js/main.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

Can you try deactivating your other extensions temporarily? I don’t think the first two errors are from mine.

EDIT: I think there is a bug the first time you load the extension, this should fix it (step 2):

  1. Go to your dynalist with the plugin activated
  2. Refresh the dynalist page manually
  3. Click the extension icon, enter password
  4. Site refreshes and encryption is activated

That worked! Thank you!

1 Like

Great!
I was thinking about alternative icons to denote encrypted items, which one do you prefer and think people are less likely to use in their dynalist already:
:key::closed_lock_with_key::lock::lock_with_ink_pen:

I like the first.

Another thing is the whole set password feature. It works but is a bit confusing. Like when it is encrypted, when not, did my password get saved, etc.

Yes that’s fair, I will add UI elements to notify the user about the password being saved.
Also I will add a status element to the Dynalist UI saying ‘Client-side Encryption Enabled’ or similar.

Cool, sounds great!

Also to be clear: The password is never saved in plain text.
I derive a symmetric key form it which is stored securely using a key storage which only allows for encryption & decryption within the page. An attacker could not extract the key even if it could insert malicious javascript code into the dynalist webpage (which is extremely difficult over https in the first place, but say if you had installed a malicious extension).
Though it could decrypt the documents on the page using the key of course.

@Louis_Kirsch
Tested with success. Here are my input though I think you might have already captured them in your todo list.

  • password input with confirmation
  • allow password reset/change
  • change bullet shape to indicate Encryption status (eg from circle to diamond)
  • any change (intentional/accidental deletion or insertion) made to existing encryption code string (while extension is inactive) leads to permanent “:key: Could not decrypt”

Thanks Chiang!

I guess with password change you refer to re-encryption of all data with the new password? This will be tricky to do with the current system – I have to think about how to do this.
What do you mean by password reset?

Same here, sounds great but will need a lot more meddling with the Dynalist code which could turn out to be tricky. Maybe @Shida has ideas how to do this easily.

Yes that’s right and I don’t think I can do anything about this because as you said – the plugin is off. What you can do though if you encounter ‘could not decrypt’ is go into your version history and undo the accidental change.

Yes. Say I decided to change password to a stronger one, I was hoping the extension performs updating all existing encrypted text prior to password change, to match the latest password.

A good point!

It’s tricky because in order to make it secure I would have to copy all your documents in order to discard the version history. In principle I could do that using the API - but it will be a bit of work.

@CHIANG_E @Steffen I have updated the interface


The little lock icons are a bit hacky right now though (basically using css rules) and I think it might slow down the client too much.
Maybe I can try to dig into the core Dynalist code to make it more efficient, otherwise I might have to remove them again.
EDIT: I think I found a more performant way of doing it.

image

As usual the update is on github https://github.com/timediv/DynaCrypt/releases/tag/1.1
https://github.com/timediv/DynaCrypt/releases/tag/1.2

I updated, but now i cant decrypt my lists anymore. the new ones