i’m looking into the possibility of creating an e2e encrypted ‘channel’ between an uplink server and a browser ‘client’ with the Anvil server in between. As i have never done this before and getting encryption right is kind of tricky i would like to have some feedback on what is possible! See below my understanding how this could work.
So my client would login and then if he wants to send a message to the uplink server, he would encrypt his payload with the public key of the uplink server including a digital certificate encrypted with his private key , this then gets routed through the anvil server who only sees an encrypted payload and which uplink server he needs to call. He calls the uplink with the encrypted payload. The uplink server then decrypts the message with his private key , checks the digital certificate to see if it is a user he knows and send his response, encrypted with the public key of the client back to the anvil server, who routes it back to the client who decrypts it with his private key.
So in this scenario the anvil server only sees which client is connected to which uplink server but can’t decrypt the messages between them. The client needs to know the public key of the uplink server and the uplink server needs to know the public key of the client as wel as his/her digital certificate. Am i correct in this and has anybody already done something like this?
I think you might run into quite a few issues, you want the data to be encrypted using something in the browser, without the use of the anvil server, meaning if you want to write it in just python, you are only going to be able to use the parts of python that are implemented in skulpt. That does not give you many encryption methods to start with.
You essentially want to exchange keys with a third party (an uplink computer, even if it is controlled by you will be 3p as far as the end user is concerned, since the service they are running is anvil.)
This means you want to use anvil as a man-in-the-middle to exchange private information to make sure the same man-in-the-middle can’t read the messages. This not an impossible problem, but it makes things pretty complicated, especially with problem No.1 above, since you can’t use any cryptographic python libraries running on the anvil server, if you don’t want that server to see any unencrypted information.
Probably lots of other things I haven’t even thought of and don’t know that much about, like if you had some kind of anvil abstracted JavaScript code loaded into the browser that handled the cryptography of some kind, the end results might not be transparent to the security settings of the broswers and it may thwart your attempts to send what it considers ‘private information’ out into the great unknown of the wider internet. Even if that isn’t true, you are skirting a line so close, that new security features in the future may render your work obsolete.
The browser is fully open to hacking. Anyone can open the browser’s debug windows, and see everything about the page, including code and data.
If you want anything to occur securely, I believe it will have to be at the Server, or at an Uplink program under your control. Or at least, not inside the browser!
I diddnt say what @meelvoorfer wanted was a good idea, but yes I probably wouldn’t do it that way either.
I think the underlying problem is that the question is about doing something because you trust unsecured browser code more than you trust the anvil servers, which is… well I don’t know what the reason is supposed to be to need this.
There are often regulatory reasons that data cannot be exposed unencrypted to servers, depending on the industry. US regulations often specify servers outside the US, etc.
Public key encryption is stable, and is secure to do in the client. I seriously doubt that you could do it in Python code in Skulpt, but there are Javascript libraries that could be used via the Anvil/Javascript bridge.
Hackers hacking client side code is an issue with or without public key encryption. The original poster would need to work through their use cases and see where hackers could compromise the data flow, and how to mitigate those cases. With more information about what the app actually is, folks here could suggest ideas in context, too.
Hi Thanks all for your replies. let me try to explain the use case i envisage, first, encrypting/decrypting in the browser is very doable,there are several javascript libraries, the way to go is probably this: Web Crypto API - Web APIs | MDN
My use case is that my app on the Anvil server would be the ‘man in the middle’ :-), and that (my) python uplink code is running on the servers of my customers and their employees would be connecting to their servers through my Anvil app. The reason for this is that i want to be able to offer a kind of hybrid SAAS.
I also want to offer a full SAAS solution where their data is on my servers but I know there are a lot of companies where this won’t fly and the only option then would be running everything on their servers which i’m not that interested in at the moment.
Yes, it is technically feasible to end-to-end encrypt your data between client and Uplink code
If you’re going to do this, then using the Web Crypto API over Anvil’s JS interop is probably the way to go
You will want to think carefully about your threat model:
If you’re trying to protect against the owner of the web browser you’re using, this won’t help you (as has been pointed out above - trying to stop a user doing what they want with a web browser is a losing proposition).
If you’re trying to protect against active adversarial action by us (the Anvil hosted service), then this isn’t much protection - a malicious server could inject malicious client-side code that dumps the secret data in cleartext.
However, if you’re trying to check a regulatory or customer-comfort box (“no unencrypted data touches this third-party cloud provider’s servers”), this is a pretty good choice.
I diddnt say what