2

For an open source project I'm currently working on, I need people to trust a website. Basically, the user would write "foo" on his phone. It would go on the website which would take the message "foo" and send it to a server running on this user's PC. I want people to be sure that the server did not change "foo" into "bar". I know I'm not malicious but potential users don't know it so I need them to trust me.

There are 2 possibilities. The first one is to use cryptography. The user would encrypt on his phone "abc" and the server running on the user's PC would decrypt it. But it's cumbersome for the user (he would need to encrypt it in another app). The second possibility would be to convince the user I'm not malicious by showing him the code running on the server. I can show the code on Github easily. The question is how can we ensure that the code running on Github is the same as the code running on Heroku?

Pholochtairze
  • 1,836
  • 1
  • 14
  • 18
  • Whatever you show to the user, she would have to take your word for it that it is really what is running your server. Maybe she trusts at least Heroku, then Heroku could vouch for what has been deployed to the server and that the given URL points to that server. But I don't think they do that currently. – Thilo Oct 20 '16 at 09:40
  • The special segment of very security-conscious users that demand this kind of "trustless server" using a separate crypto tool that signs and verifies messages client-side seems is probably not too cumbersome (but their preferred mode of operation). – Thilo Oct 20 '16 at 09:45

1 Answers1

0

It depends on your deployment, to achieve this is to make a deployment process that will fetch the whole repository and do the production or environment build. This is pretty the same with NPM setup were you will have entry file and build script.

Allan Jikamu
  • 341
  • 2
  • 8