Hey everyone, thank you @jonah for letting me in @developers
To be honest the priority of this topic is not so much to be listed on PG but to get your insights on Redakt
As you all know, any public posts, comments, messages we publish on the Internet gets scrapped, classified, analysed, indexed by bots, AIs for legitimate or malicious reasons.
I strongly believe that there are use cases when we might need our content to be hosted on big platforms (such as Twitter, Reddit, LinkedIn, etc.) but not readable to all, specifically bots and AIs.
That is why I created Redakt, a free & open-source zero-click decryption tool, to decrypt automatically from your browser all texts encrypted with Redakt’s public key.
If you want to play around:
- Install the Browser extension (Chrome/Brave)
- Try decrypting this Tweet or this Medium Article.
Let me know what you think
PS: Here’s the open source repo
I immediately have some questions, but I guess the main one is: what’s stopping these scrapers from decrypting Redakt messages, given that all messages are encrypted by the same key?
I also worry that people would read “encryption” and assume it is safe to use to hide private messages from other parties or their messaging provider, when that doesn’t appear to be the case. It might be worse than not using Redakt at all in such a scenario, because I think the way your extension works is SaaS-based, where the message is sent to your API for encryption? With how this currently works I wonder if “obfuscation” would be more appropriate.
Why you use Twitter/Reddit/LinkedIn instead of Mastadon/Lemmy?
Why you joined GItHub 30 days ago?
No! The encryption/decryption is entirely done locally by your machine. The extension does not communicate with anything. You can verify this by checking the source code of the extension and also by checking your network inspector while using Redakt.
Technically it is encryption as I use AES encryption via the CryptoJS library. But you are right it is poor and symmetric encryption that can not be used for security purposes. That is why I called the extension “Redakt” and not “Decrypt” or “Protekt”. What you suggest is to completely remove words related to “encryption” as they carry a strong security feeling? That’s a great point, “obfuscate” or “redact” works. Anything else to improve wording?
I assume that most scrappers wont as the scrapping job is often carried by bots that scraps billions of data points “in clear”.
The v.1 aims to get rid of the most common bots, but I entend to add more encryption options (symmetrical and asymmetrical) so users can choose the level of privacy (security?) they want.
I thought about something like that:
- v.2: Encryption using a custom key that can be shared (AES)
- v.3: Encryption using key pairs (PGP)
All of this while make it as easy as possible for users to encrypt/decrypt their content.
Thank you @jonah for your comments
Because I use these myself. I’ll create a Mastodon account as I’d like to share Redakt as well there. Any instance to recommend? Fosstodon seems like the right choice.
Redakt is a new project, I created a specific account in order to gather all repositories on the same account.
To be honest, it is actually the first time I communicate consistently with a single account/identity (ie. Alex Touzovitch & Redakt).
Got it, I was just assuming the browser extension merely communicated with redakt-api, I didn’t look at the extension code itself. That is better, but then it has the separate issue that you are distributing the private key with the browser extension, right? (Well, there’s no “public” or “private” key at all presumably, there’s just the one key used for symmetric encryption/decryption)
As you noted that wouldn’t be a security issue within your targeted threat model, since the intent is just to obfuscate publicly posted information, but it does mean that scrapers can easily decrypt any content they come across without limits. I had thought the API might be used by the browser extension in order to rate-limit scrapers or something. At least the risk of you being malicious is negated in the context of private messaging
I think that security through obscurity is fine at this scale, but I wonder what your goals are, because surely once enough people use this extension then scrapers will take it seriously, so it sort of only delays the inevitable.
Absolutely, this key is actually not well hidden. You can find it with very little digging. As you said, it’s not strictly a security tool.
Exactly. Redakt aims to add a bit more privacy in the context of public messaging. Private messaging seems pretty much covered with E2E encrypted tools.
I think it’s a race. In the current state of public messaging, I think Redakt gets the job done. Then we can add more features to avoid detection and increase the complexity of Redakt encrypted content.
The idea is to reverse the “privacy game” when it comes to public content.
Instead of many users changing their online behaviour to face few privacy-threatening actors ===> Few privacy-threatening actors make more effort to gather more and more users generated content that keeps to be more and more heterogeneous and complex (with the next Redakt versions).
The idea is to prevent all “bad-actors” to scale their comprehension of the content they own (or stole).