GoKawiilVersión en Español aquí; gh:v1ctorio/e2ee-slack
Introduction
Some time ago, while exploring Slack’s Block Kit reference, I noticed something peculiar: the video block. When I saw that it accepted a video_url , the first thing I thought was: how does it distinguish between any content and an actual video? Would there be any particular requirement or limitation in the embed? Foreign sources?
Yeah, no. There is no runtime check, other than checking the provided video_url is accessible and responds with a 2xx or 3xx code. After those checks, it’s nothing more than a simple iframe.
So, a few days ago I got an idea. What if there was an app that allowed you to encrypt messages with a key pair and send them through Slack?
The idea is simple. Inside your client, using the browser crypto APIs, you create a key pair, encrypt the private key and send it to the server. Then, any time you want to do an operation (sign, encrypt, decrypt), the server will send you back your key and, inside a video block, you will decrypt your key and do the operation.
This way, the server never gets the decrypted key but via the key-pairs, you can encrypt messages for anyone.
Showcase of the registration process for e2ee Slack
Implementation
For this app’s development I chose TypeScript. For no other reason than that I’m used to it and I’m able to iterate fast with it.
... continue reading