I suspect these were seldom used, but they were occasionally used by people to communicate sensitive information to members of our team. We will publish guidance on securely contacting us via alternative methods later this week. You can contact us securely via Signal if you need to share something sensitive with the team.
You now have the option to permanently decrypt your DMs with a new button in each message, as well as an option to bulk decrypt all of your messages in your profile.
If you decrypt your DMs, they will be stored in plaintext in our database like any other forum information (although I will note our database and all of our systems use full-disk encryption on the hardware level).
If you do not decrypt your DMs by the end of February, they will be permanently lost when we disable and remove the plugin.
I suppose one could update their PG profile with their Matrix identity, and securely chat individually, with e2ee enabled (given PG already has an established space on Matrix).
Hmm, I think I can see one reason why they’re deprecating it.
There’s no context-binding (see also: confused deputy attacks) or mechanism to prevent a nonce reuse (which, given 96-bit IVs and reused AES-GCM keys, are a realistic risk). Fortunately, each topic has a distinct key, so you would need to post 2^32 replies to actually breach the safety limit.
They avoid a lot of the footguns with crypto.subtle (e.g., not specifying authenticaiton tag length, which allows attackers to truncate the tag to 32 bits and brute force a value for a mutated ciphertext). At a glance, their key management also puts a little too much trust in the platform to provide the correct public key.
Not the worst JavaScript cryptography I’ve ever seen, but still complex enough to require a lot of cognitive load if a change is necessary.