If I'm reading this right it's in-browser JS signing software. The author makes the claim that native software is hard to audit, but neglects the much bigger problem of having to verify the JS downloaded on-demand for every session. What you are served is not guaranteed to be the same as what's hosted on GitHub.
These days with service workers and what not you might need more than a quick glance at the network log if you suspect the web page is malicious.
Even for non-malicious sites this can be a problem.
I think a notable case of the second category is jwt.io which last I checked definitely seemed to fire a few network requests after I pasted a token.
(Happy to be corrected if this is obviously false or has been corrected later.)
That said I couldn't see my token in one of them but it is scary enough to make me avoid using that site.
BTW, I think their statement/claim
> "Warning: JWTs are credentials, which can grant access to resources. Be careful where you paste them! We do not record tokens, all validation and debugging is done on the client side."
is correct, it's just to scary for me to put client credentials there at all when it isn't trivially east to prove that they aren't uploaded.
> I think a notable case of the second category is jwt.io which last I checked definitely seemed to fire a few network requests after I pasted a token.
They do make request to https://b.6sc.co/ all the time, regardless of you pasting stuff or just having it as an idle tab. Seems to be some kind of analytics that just tracks your time on the page and if you are active or not. With that said, I just fired up a proxy now when you mentioned it, have not actually properly investigated it.
My guess it is just analytics, but as recent events have shown they are then one misconfiguration away from sending highly sensitive data to Facebook or someone else.
This is for signing a document with a "hand" signature, not cryptographically signing it with a cryptographic signature. Besides, if you don't trust in-browser JS then you shouldn't trust any site on the web, e.g. online banking.
That this is running completely locally without any software to install is pretty useful and cool. Your criticism isn't great (IMO borders on concern-trolling) because the alternative is something where the docs go to some centralized SaaS that store everything including your signature for an unknown period of time.
> the alternative is something where the docs go to some centralized SaaS that store everything including your signature for an unknown period of time.
No. The alternative is using a desktop application, which offers a superior UX in every way.
I don't get what's so bad about installing applications. It's painless. Browsing the web on the other hand is painful.
"This is for signing a document with a "hand" signature, not cryptographically signing it with a cryptographic signature. "
Ah very well, then it's not as important.
"Besides, if you don't trust in-browser JS then you shouldn't trust any site on the web, e.g. online banking."
Online banking is different from the PoV of expectation of privacy. With online banking I'm managing the account the bank has plaintext access to by definition. Had this been about digitally signing a document, the vendor would be an untrustworthy third party (the signer and the verifier being 1st and 2nd parties).
"That this is running completely locally without any software to install is pretty useful and cool."
No it's running in-browser, not natively. It's not enough it runs locally, it needs to run locally the same way, every day, without requiring 365.25 code-audits per year, per user.
"Your criticism isn't great (IMO borders on concern-trolling) because the alternative is something where the docs go to some centralized SaaS that store everything including your signature for an unknown period of time."
No the alternative is a native client that does this offline, where you can inspect the source, download and compile it (hopefully reproducibly), and where you know you can trust the program acts the same way during runtime, every time. That's not true for JS applications. Since this isn't about digital signatures, I admit I was wrong in that respect. However, wrt security related programs, in-browser crypto isn't safe as the sources showed.
If there is software entirely in a web page and does not send data to internet, then you could just save the HTML file (and other needed files, if any) to your computer and then use that.
You do not have to connect to the internet to access a local HTML file. If you disconnect the internet, then anything in the file that tries to access the internet will not work, so you can also know that it isn't sending stuff to the internet.
Yeah there are hacks around the problem, even JS application could be downloaded to a VM that is airgapped and the sate of which is saved, and after auditing the minified code (painful as hell) you know you can trust it on consecutive runs. This is all mostly fine but having to rely on such sandboxes isn't what we really want from security software, especially when minification makes auditing e.g. implementation of cryptographic algorithms really difficult.
One way to improve it might be to add a new JavaScript function into HTML which causes all further network access made by the current document to be blocked; the user who downloads the file can insert that command at the beginning of the file if they want to disable network access. (Since it is called before the rest of the document can change its definition, it will be effective.) (It is one of the many things which will need to be fixed in a newer web browser program, I think.)
In the case of sensitive pdfs, it's enough to check you network is not inexplicably in use, and I explain how to do a network audit in the notebook (yay literate programming). BTW this is "sign" as in overlay an image of your physical signature, not certify with a digital signature.
That’s what most want when they think of signing a document. There’s all sorts of technical stuff relative to PDF Signing (cryptographic) and why it matters but most people that want signed documents want to be able to say the user was presented with this document and signed it. Most also fail to understand the technical mechanisms that are important to be able to defend that a user saw what you wanted them to see and then signed it. It’d be easy to argue that the other party showed you another document, got your signature and then overlaid it onto a new document. That’s the issue with many open source signing schemes, they aren’t provable because few if any implement both cryptographic signing and signature overlay.
I'm not talking about XSS vulnerabilities, but having to trust the vendor to do the right thing every time I use it. Some companies can be coerced, internally compromised, and TLS and X.509 isn't exactly designed to be safe against nation state attackers so MITM can inject malicious JS clients.
Native clients suffer from code distribution problems too, but to much lesser extent, especially with reproducible builds and actually readable code as opposed to minified JS.
This is going to sound really weird, but I was able to create a decent trackpad signature once I got into the right mental state.
I held my pointer finger between my thumb and middle finger, and made myself really think of it as a pencil. I looked down at the trackpad as I wrote (rather than at the screen), and tried to visualize the trail it would leave on the surface.
https://seedlegals.com/ asked me to use my mouse for an online signature. In their FAQ they say I can't upload an existing one, quote "This is for security reasons, so that we know it is really you signing. [...], you might find it easier to perfect that sign on your phone / tablet with a touchscreen." I borrowed an iPad+Pencil from a friend and signed it with the pen, that kind of worked.
I've seen people complain that Preview can be inaccurate and shouldn't be trusted for important legal documents (like the ones you might want to sign). https://mobile.twitter.com/sunshowers6/status/13930051073739... Anyone else have experience with this?
I used to have issues, but the simple fix is this:
Instead of simply saving the signed PDF in preview and sending it out, export the PDF as another PDF (there’s an option to do that in the File dropdown).
I’ve found that doing that fixes all comparability issues (based on signing 5-10 docs a week).
Edit: Before someone tells me I should be using Acrobat, I know, but for some reason it runs painful slow on the new Apple M1’s.
Preview shouldn't be trusted for legal documents ?
I would call that Apple bashing nonsense.
Mac, Windows, Linux, BSD ... if you're going to go signing legal documents (a) with a self-signed certificate (b) without an independently traceable timestamp .... then frankly don't expect it to hold up for long in a law court.
That depends on how the file is delivered. Drawing your signature is not even needed.
That said, most of the times I need a signature is some bureaucratic useless form and the signature is just a pro-forma - and you can be sure if I don't have a signature (and maybe if I didn't pass my form through a filter to make it look like it was scanned) some government employee in some office will reject my form and I'll have to do another one and fork out even more money.
How do we know "the wrong checkbox being selected" was a Preview problem and not something to do with non-standard PDF construction ?
Also, I don't know about you, but AFAIK pretty much all software these days (whether closed-source or open) comes with a great big disclaimer attached effectively saying "you're on your own" if the software functions in an unexpected manner.
I worked in this space and personally digitally signed hundreds of documents, using Entrust and FoxIT (Adobe Pro could be used too).
I've found sometimes that Preview mangles some PDFs created in Adobe. In addition, there are many cases FoxIT (PhantomePDF) also mangles or can't even open PDFs that are *complex in nature that were created in Adobe Pro.
To be fair, I just signed some bank documents, and it was all inside their system and it just consisted of me checking a checkbox. It was their system, so it was considered a signature, since I logged into their system first.
Once you get into power usage, such as redaction in the legal world, Adobe is the only product that doesn't have bugs. I've tried. It's a sad state of affairs, but yeah that's the world.
*And by complex, I mean 1GB pdfs with 1000s in pages that have Adobe's embedded audio/video as well as scanned handwritten notes and photos., not 1 or 2 simple pages.
I think e-signatures with strong auth will make it valid. Not sure signing a doc on preview will make it legal. I mean, could anyone sign my sign using preview and get the contract done? Who ensures the signature belongs to me?
During my time I spent in the USA (I’m from Australia), I was very surprised at the way money and transactions worked. This was 2014/2015 - in Aus pretty much every consumer bank already had paywave (or whatever compatible technology) cards, which either paywave or also ask you for a PIN if the transaction is large, and here I was in the USA being asked to swipe my card and sign for things.
In small transactions (say, less than $100), no-one really cared - I would scribble my signature on a docket, no-one would double-check it with my card, everyone went on their way. Signatures were required but not respected or checked. In large transactions (I bought a MacBook, for example), the staff could not care less about my card or the signature scrawled on the back, but they would only take my money after I could produce some photo ID (a passport in my case) showing that the name on the card correlated to my face. In this case signatures were technically required but totally ignored because they’re easily forgeable. (A fact I’ve always been bemused by is that the signature is on the card - if you drop your card or something the signature is right there).
End of long story - how valid are “just signatures” legally? As someone with zero legal experience (clearly qualified to comment) I feel like other evidence showing that someone received and signed the document would be much more valid than just “the signature” by itself.
The signature pretty much only gets checked if it is contested. As much as anything, the act of signing is a demonstration of intent (and in cases of fraud, it's a demonstration of fraudulent intent...). It's not really authentication.
Any document that's just text or a scan won't have an issue. Preview (and many others!) can have some problems with complex fancy fillable forms (such as tax forms).
I've never seen an instance where it wasn't immediately obvious whether there was a problem though.
Preview can't apply proper PDF signature though - while Adobe Acrobat Reader (the free one) can. Many countries can issue a digital certificate that can be used with these documents to make them legally and properly signed.
That's interesting, haven't heard of countries using pdf digital certificates.
I've heard a few countries implemented certified email: anything in a certified email is considered a legal document (including a plain pdf)
Another useful trick is opening Preview’s thumbnails sidebar to edit PDFs. You can command-delete to remove PDF pages, and drag-and-drop to reorder or copy pages between different PDFs.
They call it "Continuity Camera", and it is probably my single favorite little feature in the Apple ecosystem. Nothing revolutionary, but just something simple done really well - and when you need it, you really need it.
I thought this was about adding a digital signature with an x509 certificate, which has been a PITA for ages because of the PDF standard, plus browsers isolation from certificate stores, let alone hardware devices.
(Linux) Load the PDF in xournal, click on > Tools > Image. Select a jpeg holding my signature. Change the dimensions and drag the signature around as needed. Note that you then have to export to PDF rather than saving it.
(Android) Using the OneDrive app. There's a signature option in the annotate menu.
For me the title was misleading: Reading the title I tought that the article was about digitally signing documents (with your keys not your signature) :D
It looks like a useful service but in case you didn't know: you can do this locally on macOS using Preview. Click on Tools->Annotate->Signature and add your own signature. You can even write it down on paper, put in front of webcam and it will recognise it and turn it to black & white. Very useful for filling out different forms.
A free account on Adobe Acrobat online can sign PDFs, you don't need to have any kind of subscription. I'm not sure why the author felt they needed to subscribe if they were just signing PDFs. https://documentcloud.adobe.com
I know there's a tendency to trust Adobe because they're a large company, but how do you know what they're doing with your data? How do you know what they'll do with it at any time in the future? Is the other party okay with giving them your data? What if they decide to sell your data in the future?
Sure, you could presumably try to get to the bottom of this, but it's easier to just use a local option.
I first read it as that too. But upon more careful reading, I understood what he meant is that since Adobe has bad subscription practices, he doesn't want to use any Adobe products, even free ones. This type of signing (image signature as opposed to cryptographic signature) is supported in free Adobe Reader software too, on all platforms, including Android.
can anyone recommend a linux desktop app that does this? I've run into the same issue as the author. I got a lifetime for the great app https://markuphero.com but they haven't added saved signatures yet - I just write with my pen. Also although I trust them reasonably it would be nice to have something local.
As said in another comment, I am very happy with Xournal++. It let you add pictures (I draw my signature once in Photopea and saved the file) and text (useful to fill forms).
In short, Xournal (original, not ++) can add pictures and text too! And it's available via official Debian repository. So it's easier to install in Debian.
Xournal++ is a rewrite of Xournal, and has more features, but I don't want to deal with downloading a .deb or using snap or flatpak. They're working on getting Xournal++ into official Debian repository though, but it's not there yet.
Xournal (original, not ++) is quite good for filling in basic forms on Debian!
It's a very simple but full-featured PDF editor. Makes working with PDF pleasant. I didn't think it would even be possible. Inserting an image is Ctrl+I.
The free version of Foxit PDF Reader allows you to upload a signature image and add the signature to PDF documents. There is a Linux version.
https://www.foxit.com/downloads/
For especially sensitive data, the assurance in this post -- that if you don't see a network request occur on save, your data remains local -- is not sufficient.
Some malicious programs use techniques like delayed network requests to send data when you're not expecting it, and you basically have to audit the entire application to make sure it isn't making these covert requests.
I know no one takes this seriously but you never know what will happen. Maybe someday we can replace PDFs with something open and more straightforward and practical.
The claim of only using software that has source code available to audit never made sense to me.
Does he go through every single line of code on every single application he uses to ensure privacy? Does this mean he is an expert in the Linux kernel? And chromium, and sendmail...
Like I get it's great that these are open source, but it's really not realistic for someone to audit every single line of code in every software to be guaranteed that nothing nefarious happens. If a bad actor wanted to hide an RPC request, they wouldn't label it as _sendUserDataToServer(), so it would require quite a good understanding of the call stack on the functions you are looking at.
Just look at the Linux kernel, it's auditable but recently it came to light that a university had submitted nefarious code to it. Presumably that code passed code reviews, static analysis, and some sort of testing? Yet it still made it in. It's just not feasible to have 100% confidence that third party software is ensuring your privacy.
My understanding is that it doesn’t answer all the risks you call out, it’s just that it is lower than the same risks and more for proprietary, non-OSS software.
If components are OSS then I have an easier time auditing. And perhaps I audit one section, and trusted people audit other sections and we can all run a trivial verification program.
Again, it’s not perfect, it’s just better. And it at least has the conditions for perfect review, while other methods do not.
> Does he go through every single line of code on every single application he uses to ensure privacy? Does this mean he is an expert in the Linux kernel? And chromium, and sendmail...
You're misunderstanding it. You don't need to go over every line to benefit from the source being available. It's very rare for bad actors to publish outright malicious source code and just hope no one spots it. People who want to release malware just about always insist that you cannot inspect the source code.
Of course, it's possible to release good source code and also introduce malware into the official binaries, lying about it corresponding to the published source, but that's another matter.
> It's just not feasible to have 100% confidence that third party software is ensuring your privacy.
It's rare to aim for absolute perfection and absolute guaranteed trustworthiness. Insisting on Free and Open Source software is a pretty effective means of avoiding many forms of malware.
> but it's really not realistic for someone to audit every single line of code in every software to be guaranteed that nothing nefarious happens.
This is missing the point. Having the source code decreases the chance of having malicious software by allowing random people to read the code. Anyone can raise alarm if they see anything suspicious and it's easy to check such claims.
>Just look at the Linux kernel, it's auditable but recently it came to light that a university had submitted nefarious code to it.
...and it came to light because it is auditable. Short of rejecting digitalisation and returning to monke, is there anything better in terms of trust and security than using open source software?
By exposing your source publically it only requires one person to check to provide herd immunity. It's game theoretically superior to providing source code for one off audits on request.
Tony Arcieri explains the issues more broadly here https://tonyarcieri.com/whats-wrong-with-webcrypto
Also, Nadim Kobeissi formalized it wrt Protonmail a while ago: https://eprint.iacr.org/2018/1121.pdf