Upfront, I'll say that I'm not a particularly good crypto person.
For my honours project I developed a scheme for tracking users as they visited websites, with a design goal that I, with the tracking servers, can identify users -- but that publishers cannot. Or at least, they can't by intercepting anything sent as part of the tracking protocol.
I relied in part on javascript running in a browser. That doesn't work. It seems that so far the Crypton team are going to spend about 50% of their time explaining yes-it's-javascript-no-it's-not-all-in-the-browser.
Anyhow, any time you have code running the browser, it's unsafe against a malicious publisher. Your first instinct is "I'll serve my js files over HTTPS", which is lovely, except that in the browser execution everything can be found, introspected and replaced by javascript sent by the publisher.
This particular problem totally breaks the design I came up with. I didn't realise it at the time. Luckily there's no requirement to submit a secure protocol to get good marks, so I got a degree anyhow.
Subsequently I rewrote the tracking protocol multiple times, each time sending it for review by A Well Known Crypto Expert You've Heard Of. Each time he would pick holes in it. This went on for about 3 months. After this long process I managed to arrive back at a protocol that meets my original goals: track users without revealing to publishers who they are (unless the user wants their identity to be revealed). It's currently sitting in Geneva somewhere, waiting for a patent examiner to take a look.
Edit: Wait, that sounds kinda threatening out of context. It's not meant to be. Crypton has a very different use case in mind from me.
I get the feeling this is more of an example client written in js. Look more to the server and its API rather than how client implementations are served.
I've spelunked the code a bit, but I am having trouble determining what is running where (JS is not really my bag). Even the stuff in the client/src subdirectory has server-like parts.
There are different ways of applying for international patents.
The one I chose is called "the PCT process". It costs more upfront, but it gives you more flexibility with timing. Under the PCT process you can opt to file directly with WIPO in Geneva.
I was lucky to find a lawyer with a computer science background who has an interest in startup entrepreneurship.
For my honours project I developed a scheme for tracking users as they visited websites, with a design goal that I, with the tracking servers, can identify users -- but that publishers cannot. Or at least, they can't by intercepting anything sent as part of the tracking protocol.
I relied in part on javascript running in a browser. That doesn't work. It seems that so far the Crypton team are going to spend about 50% of their time explaining yes-it's-javascript-no-it's-not-all-in-the-browser.
Anyhow, any time you have code running the browser, it's unsafe against a malicious publisher. Your first instinct is "I'll serve my js files over HTTPS", which is lovely, except that in the browser execution everything can be found, introspected and replaced by javascript sent by the publisher.
This particular problem totally breaks the design I came up with. I didn't realise it at the time. Luckily there's no requirement to submit a secure protocol to get good marks, so I got a degree anyhow.
Subsequently I rewrote the tracking protocol multiple times, each time sending it for review by A Well Known Crypto Expert You've Heard Of. Each time he would pick holes in it. This went on for about 3 months. After this long process I managed to arrive back at a protocol that meets my original goals: track users without revealing to publishers who they are (unless the user wants their identity to be revealed). It's currently sitting in Geneva somewhere, waiting for a patent examiner to take a look.
Edit: Wait, that sounds kinda threatening out of context. It's not meant to be. Crypton has a very different use case in mind from me.