How secure is TiddlyWiki?
1,795 views
Skip to first unread message
Stephen Kimmel
May 2, 2016, 10:55:00 PM5/2/16
to TiddlyWiki
I work for an engineering company and TiddlyWiki is something I use almost constantly. My company, however, would rather that I use another wiki program that is part of an integrated package. Without going into too much detail, the words that immediately come to mind when describing that program are "useless" and "vile." Although they've never prohibited me from using TiddlyWiki, they have raised questions that I can't easily answer such as "How secure is our corporate data?" and "How do you know it isn't transmitting data outside the company?" and finally "How do you know it won't damage the data on our network?"
My first reaction is to discount this as paranoia but I don't know the inner workings of TiddlyWiki well enough to know it isn't doing those things and I'm not sure anyone but Jeremy (and perhaps Eric) do know. I'm more worried about Google making copies of my data than I am Jeremy doing it. Still Firefox and most modern browsers have gone out of their way to prevent applications like TiddlyWiki from working. On a separate but related note, one of the math routines developed for TiddlyWiki used a separate math package to avoid using the "dangerous" javascript eval function. Could some malicious bastard create a plugin that could actually damage our computers or our data outside the Wiki?
Does anyone know?
My first reaction is to discount this as paranoia but I don't know the inner workings of TiddlyWiki well enough to know it isn't doing those things and I'm not sure anyone but Jeremy (and perhaps Eric) do know. I'm more worried about Google making copies of my data than I am Jeremy doing it. Still Firefox and most modern browsers have gone out of their way to prevent applications like TiddlyWiki from working. On a separate but related note, one of the math routines developed for TiddlyWiki used a separate math package to avoid using the "dangerous" javascript eval function. Could some malicious bastard create a plugin that could actually damage our computers or our data outside the Wiki?
Does anyone know?
Eric Shulman
May 2, 2016, 11:38:18 PM5/2/16
to TiddlyWiki
On Monday, May 2, 2016 at 7:55:00 PM UTC-7, Stephen Kimmel wrote:
I work for an engineering company and TiddlyWiki is something I use almost constantly. My company, however, would rather that I use another wiki program that is part of an integrated package. Without going into too much detail, the words that immediately come to mind when describing that program are "useless" and "vile." Although they've never prohibited me from using TiddlyWiki, they have raised questions that I can't easily answer such as "How secure is our corporate data?" and "How do you know it isn't transmitting data outside the company?" and finally "How do you know it won't damage the data on our network?"
For many, many years, I have described TiddlyWiki thus: "USE it like a website, OWN it like a document".
Thus, "How secure is our corporate data?"... is a function of how your company handles internal document files, such as Word, Excel, etc. If you follow the same security protocols for handling TiddlyWiki documents as you do for other types, then there is no difference in security.
Regarding "how do you know it isn't transmitting data outside the company"... When using stand-alone .html files, TiddlyWiki always attempts to save the file *locally*. For TiddlyWiki to save to a remote location, it need to be either running the NodeJS-based TiddlyWiki, or use a server-side script (e.g., store.php). Both of these methods require explicit installation/configuration to be enabled. Thus, it is unlikely that any data could be transmitted outside the company without you knowing. As long as you have security procedures in place to prevent sending unauthorized files to outside entities, then TiddlyWiki poses no more risk than any other file types in use within your company.
As noted above, TiddlyWiki writes *local files* by default. The only data that could damaged by TiddlyWiki would be the TiddlyWiki files themselves. Fortunately, because each TiddlyWiki file is stand-alone and self-contained, it's very easy to make backups simply by copying the TiddlyWiki file before beginning an editing session. That way, if something does happen, you can always get back to the most recent previously saved data by restoring the file from the backup copy.
My first reaction is to discount this as paranoia but I don't know the inner workings of TiddlyWiki well enough to know it isn't doing those things and I'm not sure anyone but Jeremy (and perhaps Eric) do know. I'm more worried about Google making copies of my data than I am Jeremy doing it. Still Firefox and most modern browsers have gone out of their way to prevent applications like TiddlyWiki from working. On a separate but related note, one of the math routines developed for TiddlyWiki used a separate math package to avoid using the "dangerous" javascript eval function. Could some malicious bastard create a plugin that could actually damage our computers or our data outside the Wiki?
In TiddlyWiki Classic, my TiddlyTools InlineJavascriptPlugin allows arbitrary javascript to be invoked from any tiddler. This *does* present a bit of a security gap, in that someone could send you a tiddler that could *try* to mess with your "data outside the wiki". However, nearly all script exploits rely on functions that modern browser "prevent from working", so TW Classic is relatively safe.
TW5 is even safer. It does not permit use of javascript embedded in tiddlers (i.e. <script>...</script> blocks are ignored), and even prevents use of inline event handlers (onClick, onChange, onSelect, etc.) in HTML code. To invoke javascript code in TW5, it must be contained in a tiddler with a suitable module type (macro, widget, etc.) which the TW5 core invokes during startup. This ensures that there is a mechanism by which the TW core can control what scripts are invoked. This makes it very unlikely that someone could sneak some malicious code into your TW.
enjoy,
-e
PMario
May 3, 2016, 5:00:59 AM5/3/16
to TiddlyWiki
On Tuesday, May 3, 2016 at 4:55:00 AM UTC+2, Stephen Kimmel wrote:
I did find 7 statements in this post and I try to respond to them, by describing the mechanisms that are used to create the TW functionality. So your security OPS can make there own picture.
Some general remarks.
Open Source:
------------
Almost everything, if not everything in the TiddlyWiki ecosystem is open source. So the source code is publicly available and reviewable by everyone.
TiddlyWiki [1], TiddlyFox [2], TiddlyIE [3] links are at the end of the post.
Single Page App (SPA)
---------------
TiddlyWiki is a SPA. Once it is loaded from eg: http://tiddlywilki.com you can disconnect your computer and TW will be fully functional.
TiddlyWiki doesn't need any server backend to be functional and it doesn't send any info to any server, except the user wants this behaviour (plugins).
tiddlywiki.com contains the tw google analytics (ga) plugin, to get minimal statistics.
but
If you download tiddlywiki, this code is deactivated or not included at all. So empty.html doesn't include any plugins.
Only if you download "full wiki", you get everything as requested, but ga is inactive. It only works with tiddlywiki.com otherwise everyone would be able to spam the statistics.
----------------
TiddlyWiki is a pure HTML file. So you can open it with any text editor, if you need to.
If you talk about "access rights", the same rules apply, that are valid for every other file type. As mentioned above HTML is pure text and the file format is standardized.
In a "discoverability" sense of the question, it is as secure or even more secure, than proprietary file formats used in many companies. Just try to open a 10 year old word file. Opening a 10 year old TW file is no problem. It should work with every standard browser and it definitely works with every standard text editor.
The TiddlyWiki core contains an open source encryption library [4], that lets you encrypt the internal tiddler store. The mechanism used is AES256, which is considered secure at the time of writing. There is an ongoing discussion, if browsers are a good environment for encryption. But that's a different topic.
As written in the intro: TiddlyWiki is open source.
As you mentioned in 5) browser vendors block transmissions that they consider potentially insecure. Actions, that are blocked differ a little bit between different browsers.
One of these measures prevent a TiddlyWiki, that was started from a file:// URI to be able, to upload itself to a http:// URI eg: tiddlyspot
So for the "save from file:// URI to http:// URI" we can say. ... latest browsers prevent this mechanism. If you need this behaviour now, you need to install a proxy server.
That's very similar to 2).
There are 2 mechanisms that are used to save a TW.
a) We call the first mechanism the "fallback mechanism", because it works on every browser.
TW uses the built in browser download mechanism, which creates a new file with every download.
This mechanism is the same, that you use to download any other file from the net. So the restrictions are defined with your browser settings. (eg: Most browsers use the user "Downloads" folder as a default save position)
b) To activate the ability, that TW can overwrite itself [5] on the file system, we need browser plugins. TiddlyFox [2] for FireFox and TiddlyIE [3] for InternetExplorer. Chrome, Safari and some other browsers only support possibility a)
Both TiddlyFox and TiddlyIE are open source!
With the latest FireFox browser, extensions are only allowed to be executed, if they are signed by Mozilla. TiddlyFox is a signed extension [6].
Hopefully some others know too ;)
Yes. See 2) and 3)
There are several other browser security measures, that should prevent any website from having unwanted effects. All these mechanisms are also active with TW.
As Eric pointed out, the TiddlyWiki wikitext parser contains some "sanitation" functions, that filter potentially dangerous html code from "copy / pasted" tiddler content. eg: script tags. ...
So the most important factor here is the user. We have to say: "Only use content, that you trust!".
So if you dynamically want to include external libraries you can do so. Every website can do so! ... But with TW you are the owner. So you explicitly have to activate the behaviour.
If s/he manages to brake out of the browser sandbox. ... But this is true for every other website you visit!
The advantage here is. ... The browser vendors do their best to prevent harm from any user. So that's why, if you use the latest stable browsers your should be relatively safe!
Speaking for TW plugins. You (the owner) need to install them and tiddlywiki.html is "just a webpage". So it inherits all the restrictions, valid for every web page.
hope that helps
have fun!
mario
[1] https://github.com/Jermolene/TiddlyWiki5
[2] https://github.com/TiddlyWiki/TiddlyFox
[3] https://github.com/davidjade/TiddlyIE
[4] http://tiddlywiki.com/#Encryption
[5] http://tiddlywiki.com/#GettingStarted
[6] https://addons.mozilla.org/en-US/firefox/addon/tiddlyfox/
I did find 7 statements in this post and I try to respond to them, by describing the mechanisms that are used to create the TW functionality. So your security OPS can make there own picture.
Some general remarks.
Open Source:
------------
Almost everything, if not everything in the TiddlyWiki ecosystem is open source. So the source code is publicly available and reviewable by everyone.
TiddlyWiki [1], TiddlyFox [2], TiddlyIE [3] links are at the end of the post.
Single Page App (SPA)
---------------
TiddlyWiki is a SPA. Once it is loaded from eg: http://tiddlywilki.com you can disconnect your computer and TW will be fully functional.
TiddlyWiki doesn't need any server backend to be functional and it doesn't send any info to any server, except the user wants this behaviour (plugins).
tiddlywiki.com contains the tw google analytics (ga) plugin, to get minimal statistics.
but
If you download tiddlywiki, this code is deactivated or not included at all. So empty.html doesn't include any plugins.
Only if you download "full wiki", you get everything as requested, but ga is inactive. It only works with tiddlywiki.com otherwise everyone would be able to spam the statistics.
----------------
1) "How secure is our corporate data?"
TiddlyWiki is a pure HTML file. So you can open it with any text editor, if you need to.
If you talk about "access rights", the same rules apply, that are valid for every other file type. As mentioned above HTML is pure text and the file format is standardized.
In a "discoverability" sense of the question, it is as secure or even more secure, than proprietary file formats used in many companies. Just try to open a 10 year old word file. Opening a 10 year old TW file is no problem. It should work with every standard browser and it definitely works with every standard text editor.
The TiddlyWiki core contains an open source encryption library [4], that lets you encrypt the internal tiddler store. The mechanism used is AES256, which is considered secure at the time of writing. There is an ongoing discussion, if browsers are a good environment for encryption. But that's a different topic.
2) "How do you know it isn't transmitting data outside the company?"
As written in the intro: TiddlyWiki is open source.
As you mentioned in 5) browser vendors block transmissions that they consider potentially insecure. Actions, that are blocked differ a little bit between different browsers.
One of these measures prevent a TiddlyWiki, that was started from a file:// URI to be able, to upload itself to a http:// URI eg: tiddlyspot
So for the "save from file:// URI to http:// URI" we can say. ... latest browsers prevent this mechanism. If you need this behaviour now, you need to install a proxy server.
3) "How do you know it won't damage the data on our network?"
That's very similar to 2).
There are 2 mechanisms that are used to save a TW.
a) We call the first mechanism the "fallback mechanism", because it works on every browser.
TW uses the built in browser download mechanism, which creates a new file with every download.
This mechanism is the same, that you use to download any other file from the net. So the restrictions are defined with your browser settings. (eg: Most browsers use the user "Downloads" folder as a default save position)
b) To activate the ability, that TW can overwrite itself [5] on the file system, we need browser plugins. TiddlyFox [2] for FireFox and TiddlyIE [3] for InternetExplorer. Chrome, Safari and some other browsers only support possibility a)
Both TiddlyFox and TiddlyIE are open source!
With the latest FireFox browser, extensions are only allowed to be executed, if they are signed by Mozilla. TiddlyFox is a signed extension [6].
4) My first reaction is to discount this as paranoia but I don't know the inner workings of TiddlyWiki well enough to know it isn't doing those things and I'm not sure anyone but Jeremy (and perhaps Eric) do know.
Hopefully some others know too ;)
5) Still Firefox and most modern browsers have gone out of their way to prevent applications like TiddlyWiki from working.
Yes. See 2) and 3)
There are several other browser security measures, that should prevent any website from having unwanted effects. All these mechanisms are also active with TW.
6) On a separate but related note, one of the math routines developed for TiddlyWiki used a separate math package to avoid using the "dangerous" javascript eval function.
As Eric pointed out, the TiddlyWiki wikitext parser contains some "sanitation" functions, that filter potentially dangerous html code from "copy / pasted" tiddler content. eg: script tags. ...
So the most important factor here is the user. We have to say: "Only use content, that you trust!".
So if you dynamically want to include external libraries you can do so. Every website can do so! ... But with TW you are the owner. So you explicitly have to activate the behaviour.
7) Could some malicious bastard create a plugin that could actually damage our computers or our data outside the Wiki?
If s/he manages to brake out of the browser sandbox. ... But this is true for every other website you visit!
The advantage here is. ... The browser vendors do their best to prevent harm from any user. So that's why, if you use the latest stable browsers your should be relatively safe!
Speaking for TW plugins. You (the owner) need to install them and tiddlywiki.html is "just a webpage". So it inherits all the restrictions, valid for every web page.
hope that helps
have fun!
mario
[1] https://github.com/Jermolene/TiddlyWiki5
[2] https://github.com/TiddlyWiki/TiddlyFox
[3] https://github.com/davidjade/TiddlyIE
[4] http://tiddlywiki.com/#Encryption
[5] http://tiddlywiki.com/#GettingStarted
[6] https://addons.mozilla.org/en-US/firefox/addon/tiddlyfox/
Mark S.
May 3, 2016, 11:22:43 AM5/3/16
to TiddlyWiki
If your company is asking you to do use some other Wiki, does that mean that they expect it to be used in collaboration with others?
If so, then they may have a point. Collaboration is a bit weak in TW, to put it mildly.
If you carry your TW home on a flash drive or lap top, then there is a danger of the data being exposed -- just as with any other document. Even brand-new laptops come with all sorts of 3rd party stuff these days, and it doesn't seem that manufacturers vet the software thoroughly. USB drives can be lost, or left behind at business meetings.
TW does have an encryption capability, which might add some peace of mind. You might find out if your company's default wiki product is using encryption.
Mark
If so, then they may have a point. Collaboration is a bit weak in TW, to put it mildly.
If you carry your TW home on a flash drive or lap top, then there is a danger of the data being exposed -- just as with any other document. Even brand-new laptops come with all sorts of 3rd party stuff these days, and it doesn't seem that manufacturers vet the software thoroughly. USB drives can be lost, or left behind at business meetings.
TW does have an encryption capability, which might add some peace of mind. You might find out if your company's default wiki product is using encryption.
Mark
On Monday, May 2, 2016 at 7:55:00 PM UTC-7, Stephen Kimmel wrote:
prog...@assays.tv
May 3, 2016, 12:21:27 PM5/3/16
to TiddlyWiki
PMario
WOW
That is an AMAZING detailed, pertinent, reply.
I am gobsmacked at the effort people like you here give freely.
It is a nice thing to witness.
Josiah
WOW
That is an AMAZING detailed, pertinent, reply.
I am gobsmacked at the effort people like you here give freely.
It is a nice thing to witness.
Josiah
Reply all
Reply to author
Forward
0 new messages