0:45:49 Yeah, so this came out of
when we were with Y-Sweet.
0:45:52 We wanted to do We wanted to have
store the data locally in the
0:45:56 client, at least as an option.
0:45:58 so we looked at the options that
were available or, you know, local
0:46:01 storage, indexed db, opfs, origin,
private file system, realized that
0:46:06 indexed db was really the kind of the
right way to go for this right now.
0:46:10 have high hopes on opfs, but
they're still, I mean, they
0:46:14 all kind of have flaws, but.
0:46:16 Index DB is like the best people
know the flaws the best, I guess,
0:46:20 and how to work around them.
0:46:21 So, looked at index DB.
0:46:23 But the problem that we found with
all of them is that all of them store
0:46:27 the data in plain text, and that's
not just a theoretical problem.
0:46:32 There is at least a couple months ago.
0:46:34 Now, there was some, you know, NPM
and pie pie modules out there that
0:46:39 would read some application data
from these plain text sources.
0:46:43 it's kind of a real problem
that people have identified.
0:46:46 And has been exploited.
0:46:48 so we wanted to make sure that we
provided an option that at least as,
0:46:51 as best as possible would prevent that.
0:46:54 so we said, okay, well,
browsers have web crypto.
0:46:57 We can encrypt all this.
0:46:58 but then there's this problem
of where do you store the key?
0:47:01 because you could start on on the
server, but then kind of defeats
0:47:04 the purpose if you're offline,
of then accessing that data.
0:47:07 So realize that.
0:47:10 don't really have a good way to
store a key kind of credential.
0:47:16 we've got like WebAuthn, but WebAuthn is
a bit more secure, like, which is where
0:47:21 you have pass keys and things like that.
0:47:23 It's a bit more opinionated.
0:47:24 It uses the operating systems key chain,
but it, doesn't really expose that to
0:47:29 you as any sort of low level API that
you can store your own secrets in.
0:47:34 What has started happening is that
some browsers, particularly Chromium
0:47:37 based browsers, Google Chrome, Edge,
Rave, have built in something called
0:47:44 App-Bound encryption, and they're just
using this for cookies, but the idea
0:47:48 is that the browser will store, cookies
in, you know, on disk as they always
0:47:54 have, but they'll be encrypted on disk,
and then the symmetric key to that will
0:47:59 be stored in the, Operating systems
keychain and the operating system is set
0:48:05 up to at least in theory, and there's
been some vulnerabilities here, too.
0:48:09 But, at least in theory, only
give that private key back to
0:48:14 the browser process itself not to
another process that attempts to
0:48:18 impersonate, the browser process.
0:48:20 So what we landed on, which was pretty
surprising to me, that this was kind
0:48:24 of the best available path right now.
0:48:27 But if you enable local storage, we
encrypt it stored in index DB and
0:48:33 then store the key in a cookie and.
0:48:35 Kind of piggyback on that being
App-Bound encrypted in at least
0:48:39 in browsers to support it.
0:48:41 That is very interesting.
0:48:42 Yeah, I've been studying, cryptography,
particularly in a browser context,
0:48:46 also a bit more for various reasons.
0:48:49 I am, trying to see what would
it take to, do the entire, sync.
0:48:55 messages for Livestore, what would it
be, for them to be enter and encrypted,
0:49:01 but the hard part is not the encryption,
but the hard part is the end to end
0:49:07 where, the various ends own their keys.
0:49:11 And there's a, we should do an
entire episode just about that.
0:49:14 what's difficult about it, but,
it can all be distilled down to
0:49:18 the hard part about, anything
cryptography related as key management.
0:49:23 And you can either around the side of like
being a little bit more loose with like
0:49:27 how you manage keys, but that defies a lot
of the, purposes and the benefits here.
0:49:32 but then also the, browser makes that
really, really tricky because it has very
0:49:38 constrained APIs and historically it's
always been rather a web document viewer
0:49:43 than a fully fledged application platform
and, we're getting the building blocks.
0:49:49 I mean, you can, use the, web crypto API.
0:49:52 I'm also using the Libsodium projects,
compiled to WASM, which is very
0:49:57 powerful and gives you a couple.
0:50:00 of advanced, algorithms, et cetera,
that you can use for, symmetric or
0:50:05 asymmetric encryption, signing, et cetera.
0:50:08 and pass keys, I think are also
like, a super important foundation.
0:50:13 But, they also get you just so far.
0:50:16 And I think they don't really help
you for the encryption as such,
0:50:20 but rather for signing messages.
0:50:23 So I think we're still
lacking a few building blocks.
0:50:25 So very excited to hear about this
what, what it was again, App-Bound.
0:50:31 App-Bound encryption, so ideally at some
point, this goes even beyond cookies that,
0:50:37 this can be applied for other storage
mechanisms, but I like the approach
0:50:41 to, basically encrypt it and then you
reduce it to the key management problem
0:50:46 and that you put into a cookie, which
also, there's another question, which is
0:50:52 what happens if that cookie goes away?
0:50:55 did you figure out a, an answer for that?
0:50:58 we don't.
0:50:58 We just set it to a long expiration,
but it's the thinking there was like,
0:51:02 if the user is clearing their cookies
on that tab or on that hosting, they
0:51:08 probably want to destroy the data.
0:51:10 And so are they, you know,
they want to be logged out.
0:51:13 so we actually saw it as the
right thing to do to, bind it.
0:51:17 The other nice thing about that is
like, unlike indexed DB cookies can
0:51:21 actually have an expiration date.
0:51:22 So we could set an expiration of a week.
0:51:25 we're still relying on the browser to
enforce that, but if the browser enforces
0:51:28 that, and then, you know, two weeks later,
that person is fully hacked, including
0:51:33 their operating system key chain, the
browser, at least in theory, will have
0:51:36 deleted that private key and then the
data that's in IndexedDB will be gone.
0:51:40 So that's actually, funny
enough, additional functionality.
0:51:43 It was just incidental to the,
to using cookies for that.
0:51:46 Right.
0:51:46 I like this trick a lot
and I got to look into it.
0:51:49 One thing to point out still is, you've
mentioned that this mechanism is only
0:51:54 available in Chromium browsers anyway,
but, cookies and IndexedDB, OPFS, et
0:52:00 cetera, all of that is available in
other browsers and namely Safari as well.
0:52:05 One thing that, people find out the hard
way about Safari is that it automatically
0:52:11 deletes a user's data after seven days
if they haven't visited that website.
0:52:16 So if you're building a fully
local-first web experience where
0:52:21 someone, creates some precious data,
in Safari and maybe doesn't sync it
0:52:26 yet to somewhere else, go on vacation,
come back and poof, the data is gone.
0:52:32 So I think as app builders, we
need to be aware of that and
0:52:36 detect, Hey, is this Safari?
0:52:38 And in Safari, make this part of the
product experience show sort of like
0:52:42 a message, like, Hey, be careful.
0:52:44 Your data might go away.
0:52:46 There are ways to remedy that.
0:52:48 And, to, for example, if you make
the Safari app, a, progressive web
0:52:53 app by adding it to the home screen.
0:52:56 That limitation goes away.
0:52:58 but app builders need to be aware that
they can make the app users aware.
0:53:04 it's just something that, I
think is important to, note.
0:53:08 Yeah, I think that's an example
of a number of cases where the
0:53:11 browsers are just not optimized for
local-first apps, unfortunately.
0:53:15 you know, the, I think the ability to just
store low level access to the operating
0:53:21 systems key chain is another, where.
0:53:23 Browsers have improved a ton in terms
of what they expose of the APIs, but I
0:53:28 think they're still lagging when it comes
to that storage and encrypted storage.
0:53:32 Yeah, totally.
0:53:34 So, maybe slightly, moving to
another browser related topic.
0:53:39 you've been both through your
work, Through your prior role, and
0:53:43 also as part of Jamsocket, you've
been dealing with quite a bit