4/15
All users
need to do is log in with a username and password, just as you would on any other website. The connection is end-to-end encrypted (TLS terminates at the #HoloPort , not the #Holo gateway).
-
-
5/15 Other static assets, including UIs, can be served from anywhere. Crucially, there is NO requirement for hardware wallets, key store files, or other things typically associated with accessing
#decentralized networks such as#Bitcoin
.1 reply 1 retweet 8 likesShow this thread -
6/15 While this makes the process of accessing a hApp really user friendly, the setup does have potential 3 weaknesses:
1 reply 1 retweet 7 likesShow this thread -
7/15
The login process unfortunately bears a resemblance (albeit a superficial one) to #centralized#cryptocurrency wallets that purport to hold private keys . These often turn out to be scams.
The UI for the browser could include malicious front end code.1 reply 1 retweet 6 likesShow this thread -
8/15
Traffic for hosted hApps has to be routed through Holo’s distributed gateway infrastructure. While this infrastructure may contain security gaps that could be exploited by bad actors, we have made it as secure as possible (e.g., SNI, E2E encryption, etc.).pic.twitter.com/6k7UUMZ1di1 reply 1 retweet 6 likesShow this thread -
9/15 Our approach to handling these issues has been to develop a secure iFrame we’re calling Chaperone. The application generates keys from the username and password and securely manages them within the browser—essentially, the same process as key generation in
#Holochain.1 reply 0 retweets 8 likesShow this thread -
10/15 Chaperone also handles all zome calls and signing, which means the hApp UI does not have direct access to a user’s login information. Developers using the Holo Hosting web SDK would only interact with Chaperone through the Cross-Origin Message Bus (COMB) library.
1 reply 0 retweets 6 likesShow this thread -
11/15 COMB is our library that wraps the built-in window messenger (window.postMessage), making the API more user friendly by adding request/reply, async/await, and other features.pic.twitter.com/msAMZu7Q9c
1 reply 0 retweets 7 likesShow this thread -
12/15 Thus,
#Holo isn’t responsible for authenticating web users and cannot access keys, minimizing integration requirements and limiting the number of access points that need to be audited for potential leaks.1 reply 0 retweets 7 likesShow this thread -
13/15 Note: If you were to lose your login information, Holo would not have any way to recover it, so make sure you take steps to prevent that from happening.pic.twitter.com/gxSFiE035f
1 reply 0 retweets 9 likesShow this thread
14/15
If you’re interested in seeing what Chaperone can do, you can use our front end SDK to run a local development instance to test conductors directly without having to connect to a network & #HoloPort. We encourage you to check this out when it’s available for public release
-
-
15/15
This should clear things a bit! If you wanted to read
this article all-in-one please visit our blog: https://blog.holochain.org/key-management-and-source-chain-entry-signing-in-holo/ …
#Holochain#Holo#HoloPort#NextNet1 reply 6 retweets 28 likesShow this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.