Documentation for nanogram available here for awhile
Edit:
Dont be a ungrateful Be nice pls. I put a lot of time, effort, and my own money into making this. I’m choosing to freely share it :)
Yes I get help from LLM’s. Review the code if you think it’s unsafe, or just move on and don’t use it. Happy to answer any technical questions.
Edit 2: Expanded source code for termux version here.
Edit 3: Expanded source for pi version here
Tor doesn’t automatically secure your app. If your social media instance has 1000 users on it, and one user gets compromised, then the other 999 users shouldn’t have any interactions outside of that user leaked.
Are file uploads encrypted?
Maybe you have a data leak. Maybe they send the filename in plaintext somewhere. Maybe they take advantage of the fact that UUIDs might be deterministic. But if I may flip the question… Why does an inaccessible post even need to return 403 anyway? It just functions as a big footgun that may cause any other exploits to behave worse.
But you can determine its existence or not through the status code.
Gifs will lose any animation, pngs will lose quality. Also, as far as I can tell, there’s nothing stopping a malicious user uploading a non-image file.
There are two steps to making a post: Upload and store the image and add the post to the database. There’s also similar steps to deleting a post: Removing the image upload and removing the post from the database. Are both these operations atomic?
It’s not that hard for a sufficiently motivated adversary to get an account on a sufficiently large instance. You need to ensure that one user account being compromised doesn’t result in information leakage from unrelated accounts.
This discussion stems from issues I found in just one function. You’re making a product which requires a very high level of security. You need to understand how to write secure code, and your LLM won’t be able to do it for you.
I don’t want to discourage you from programming in general, but making a very secure social media site is a rather complex undertaking for someone new to programming.
First, thanks for replying I appreciate the feedback and thoughtful replys.
If I intended on using this for mission critical communications or something, maybe I would add and enforce two factor authenticated logins. That could mitigate this conern to some extent. Or use tors built in authenticated onion service mechanism and distribute the certificate to users. This thing was never intended to scale to that size though.
But this is pretty much the case for any platform yeah? If you gain access you gain access?
Users that did not allow their posts to be shared with the compromised account would remain private, and conversations outside of the compromised account would remain private. AND, let’s say you had a hint that a account was compromised and you were using web crypto. Resetting your password would break the encryption of all conversation history… OR anyone engaged in a sensitive conversation could remotely wipe their conversations.
File uploads are encrypted in transit from the client to the server but not encrypted on the server. Anyone needing anything further would already know how to encrypt a file and can handle that manually. It’s a heavy operation is the main reason. My use case is to send a pdf of a already public news article or something so I didn’t feel implementing was important.
That’s a fair question. I could see how it could be used to test to probe the server or something. The thing is, you would only get that different 403 response if you were logged in. If you were logged out, you get the same response checking for a valid uuid and a non uuid so I’m not sure what an attacker is learning?
You get the small benefit of knowing if a file exists only if you have valid credentials. If you don’t have credentials your going to get bounced to the login screen no matter what string you try with no feedback.
Again this is a design choice I don’t want gifs. There are filetype checks on line 350 of the app. PNG, webp, jpegs allowed only.
One of the main design goals was to keep this light weight. That’s why I’m only displaying 10 photos before a new page is created. I am extremely happy with the performance of the image compression. The compression amount is tunable however if you want higher quality.
The server can ingest a 8mb photo and compress it down to 100-500kb and it still looks totally fine to me. I was most amazed with this function. Plus, I like that I’m able to archive all these family moments into a really small footprint. Over 250 photos is only like 40mb.
Yes deleting is atomic. It should leave no trace in the db and it really removes it from the file directory of the sever. Also wiped are all related comments and likes associated with the post.
My current built in security features are as follows.
invites only generated by the server manager
ability for the server manager to delete and wipe accounts.
ability to rotate your onion address. This cuts of all access to the service. The server operator would need to redistribute the onion address.
users have control of any data they have sent to the server…ie real deletion rights that really delete things.
any new invitee to the server has zero access to any accounts. Each user already in the instance needs to manually allow access to all their posts.
Two factor authentication won’t help here. You have to build your app with the assumption that any attacker has a valid login and credentials and therefore restrict them to only information they have permission to see.
Usually when people talk about e2e encrypted messaging they mean that everything is encrypted. That includes images and text content. The server should not be able to read any contents of any message sent through it.
Why? Sending memes is a core part of any social media experience.
Line 350 in both files doesn’t seem to contain any filetype checks. I assume you mean
file.content_type. That may not be accurate to the actual file uploaded; it can be spoofed.# Delete the associated message if it exists if chat_file.message_id: msg = db.get(Message, chat_file.message_id) if msg: db.delete(msg) ---> Here # Delete file from disk file_path = os.path.join(CHAT_FILES_DIR, file_uuid) if os.path.exists(file_path): os.remove(file_path)If the application crashes/closes at the indicated point, then you will delete the message from the database but still have the image on the server. If this is an image served from
/img/whatever, it would have no checks beyond a login check.