[Informational] High-level overview of the project goals

[t2ym]

Question to My E-mail [email protected]

I noticed your project thin-hook and it looks super interesting. I've been doing a lot of stuff with service workers and security for the product I'm building. But I couldn't find a nice overview of what problem thin-hook is trying to solve. Is there more information or a high-level overview of the goals?

My Answer

Thank you for finding my thin-hook project interesting. My shortest and honest answer to your question is "unlimited". The question sounds to me like this: "What do you see with your microscope?" The thin-hook project provides web applications with a framework of microscopic analysis and manipulation at runtime via service workers.

To be more concrete, granular MAC with ABAC (Attribute-Based Access Control) is one of the possible and critical applications. As software integrity, or intactness of code and data, is one of the prerequisites for reliable access control mechanisms, thin-hook also provides plug-ins for (hopefully) blocking all cracking via MITM or similar methods. The logical relations between access control and software integrity in thin-hook is theorized in "Why access policies are useful even after integrity is achieved" #321 . You may come to think of Gödel's theorems of incompleteness after reading the logic.

The thin-hook logo https://raw.githubusercontent.com/wiki/t2ym/thin-hook/thin-hook-logo.svg says "THIN HOOK PREPROCESSOR for code that works as expected". This implies that without a framework like thin-hook, web applications can be threatened easily by severe cracking that distracts them from expected behaviors originally set by their developers and service owners. As you may know as an expert in IT security, it is cryptographically impossible to reliably convey even a single bit via unreliable networks like the Internet without a pre-shared root of trust (trusted CA or password), while quantum cryptography may be an exception. So web applications must overcome such inherent and architectural vulnerabilities at every point of data transfer and processing in conveying themselves over networks. You can find a summary of my observations in the 3rd item "Covering the vulnerabilities of HTML5/JavaScript/HTTPS/TLS technologies" of "Design Principles" in "Optional double encryption for integrity" #310 . My solution to the observed architectural vulnerabilities is described in "IMPORTANT NOTES" at the beginning of https://github.com/t2ym/thin-hook/blob/master/plugins/integrity-js/integrity.js

To be more abstract, software easily betrays human expectations by cracking, functional issues, or vulnerabilities. One of the thin-hook goals is to achieve high quality web applications with (hopefully) invincible robustness and reliability. In other words, thin-hook aims to achieve "sincerity (or integrity including its ethical meaning)" in web applications since such betrayals of human expectations can be seen as "insincere" from the viewpoints of their users and service owners. Such "sincerity" should be achieved even when users become malicious or curious attackers.

The thin-hook project should have more advanced or minor areas of applications, which are currently not focused nor explored (yet) by me. Others may be exploring different applications in a stealth manner.

I welcome more questions and/or suggestions while I prefer open discussions on GitHub issues if you are OK. I understand the reason you have selected direct mailing to me, but can I paste this mail thread on a GitHub issue? As I know the project overview is missing in the project documentation on GitHub, I anticipated such questions as yours, whose answers deserve open discussions. It is a paradox that applications of security mechanisms are often kept secret but discussions on their technologies should be open in order to achieve high quality through open reviews. I have an option of transforming this mail thread to a general GitHub article without any personal information.

Feedback to My Answer

Thanks for the write-up. I didn't want to ask directly on GitHub in case you perceived it as rude. But I am grateful for your detailed response. Feel free to share this email on GitHub with my personal information removed.