Tuesday, October 17th, 2006

Halfnote: Secure Document Sharing

Category: Browsers, Showcase, Storage

<p>Halfnote is a web based secure notepad created by Aaron Boodman.

Aaron created this originally to allow him to share documents between his own computers in a secure manner.

The web application uses local storage in IE 5+ and Firefox 2 to store an encryption key. This means that your notes are encrypted with a key that never leaves your machine.

In traditional web applications your data is not encrypted at all. It’s sitting there on the server in plaintext for all to see. If the provider screws up, your data will be leaked, for example what happened with AOL.

Even if it were encrypted, you’d either have to enter the key every time you wanted to view the data, or else store the key on the server, which would defeat the purpose of encrypting it in the first place.

Local storage offers a way around this issue, and I wrote halfnote as a sort of proof of concept for client side encryption in web applications.


  • Client-side encryption. Your notes are strongly encrypted with your account password before they leave your browser. Even if I totally screw up someday and pull an AOL, your data will remain pretty safe.
  • Auto-save. Save buttons are lame. Halfnote saves your notes automatically whenever you stop typing.
  • Synchronization. You can have Halfnote open on multiple computers and they will stay in sync with each other. You don’t have to worry about accidentally overwriting notes you entered on another computer.

Related Content:

Posted by Dion Almaer at 12:13 pm

3.7 rating from 15 votes


Comments feed TrackBack URI

This seems very suspectible to man-in-the-middle attacks. Wouldn’t all I have to do to get the encryption key be to insert javascript code during the request? Javascript code to fetch the key from storage and transmit using e.g. XmlHttpRequest..

Or if you cannot manipulate a communications stream, insert Javascript (if vulnerable) using XSS attacks and lure the victim to use your crafted URL, ending with exposure of the key.

With a requirement of HTTPS and no XSS vulnerabilities this could be more secure against outsiders. But you would still loose what I think is your main point: Your data is stored encrypted on the server, and the server operators will have no way in decrypting it. Unfortunatly this is not true either. As pointed out, all the operators would need to do to get the key is serve the page with Javascript crafted to fetch and transmit the encryption key.

So in reality this only provides to following security (You must assume that the site is not XSS vulnerable):
- People with read-only access to the stream cannot see your data.

You are still moving in the right direction, hopefully one day a secure solution exists or is even possible.

Comment by Hallvar Helleseth — October 17, 2006


You’re right that client-side encryption by itself doesn’t protect against man-in-the-middle, or a malicious developer. In these regards, it is no better or worse than a normal web app.

What I think is interesting is that client-side encryption eliminates the possibility of the developer accidentally leaking the data.

Comment by Aaron — October 17, 2006

Hi Aaron, very cool app! I’d love to see a WHATWG storage provider in Dojo.Storage and an IE StorageProvider; right now we only have a FlashStorageProvider, but the full architecture is there for other kinds of storage mechanisms, including determining at runtime the best one to use. Interested in writing the Firefox 2 (WHAT working group) and IE storage providers? It should be straightforward and I can step you through the process. Feel free to call me at 1-510-938-3263 as well.

Brad Neuberg

Comment by Brad Neuberg — October 17, 2006

Aaron, btw, you can support older browsers (including Safari) by using Dojo.Storage’s FlashStorageProvider, which comes on automatically. Here is an example editor I threw together to show this, called Moxie, similar to your halfnote editor:


All that code is BSD, btw, so feel free to use it or incorporate it.

Once we have the WHATWG and IE StorageProviders, using storage on any of these platforms will be as simple as the API Dojo.Storage exports, which is basicly a very simple hashtable with puts and gets (though the inside has alot of support for doing high performance work with large strings, XML, JavaScript objects, and more — you’re shielded from this stuff).

Comment by Brad Neuberg — October 17, 2006

This idea was floated by Richard Schwartz as “Host-Proof Hosting” and led to a debate with Alex Russell about the risk of script injection that you mention. I think the conclusion is that it’s vastly more secure than keeping open data on the server and vastly less secure than keeping it on a local machine! http://ajaxpatterns.org/Host-Proof_Hosting

Comment by Michael Mahemoff — October 17, 2006

Well, it’s worth a try and maybe the security leak ( protect against man-in-the-middle ) will be developed soon.

Comment by milo — October 18, 2006

So I moved halfnote over to SSL. That should handle MITM. It’s true that you’re still not protected against a malicious operator (err… me) or a hacker who has gotten access to the web server and has enough time to wait for the passwords to trickle in. But this is a whole lot better than the alternative, I think.

Comment by Aaron — October 18, 2006

[...] Halfnote is a lightweight web-based notepad that I thought was pretty neat. It’s dead simple, basically consisting of only one text area, and features client-side encryption, auto-save, and synchronization between computers. (via) [...]

Pingback by Halfnote — October 20, 2006

Nice to see that you’re trying to rectify the issues. I would love to see a final solution to this with SSO. That would rock the world (wide web)!

Comment by Hallvar Helleseth — October 21, 2006

I like it
i like it

Comment by Tribulus — October 1, 2008

Leave a comment

You must be logged in to post a comment.