|
|
|
|
|
|
by ufmace
3948 days ago
|
|
|
I like the idea of an underhanded JS content, but I'm not sure if this is a good way to do it. It's hard to see how to build a short snippet of code that sends data off somewhere when it isn't supposed to use any network access at all. Not to mention that you apparently need to write a "good" key generation algorithm for an undefined purpose. To really do something like this, I think you'd want to pull in a big, complex JS library where the average developer isn't as familiar with the normal usage patterns. Speaking of which, you could probably provide a modified version of some major library that does something sneaky - who ever really checks that the copy of JQuery loaded on a particular page is actually identical to the official one? It's going to be a lot harder to hide from the dev tools network tab too. You'd have to already be sending back and forth some pile of data that you can hide stuff in somehow. Maybe something better would be that they provide a JS function that returns a public and private key, and the intention of the site is to send the username and public key to the server and let the user write down or copy out the private key. Then you have to write JS for the page that looks like it just sends the public key, but actually somehow sends the private key in a way that isn't obvious from reading the code or watching the network traffic. |
|
|
I would probably attempt to do it by only loading data. Use some bits of your locally generated pseudorandom bits to select a set of random bits from an external site to supposedly increase the randomness of the data (yes, that's nonsense, but less obvious then uploading the key directly), but though the sequence of requested URLs leak the locally generated pseudorandom bits and thus the key.