To be honest the priority of this topic is not so much to be listed on PG but to get your insights on Redakt
As you all know, any public posts, comments, messages we publish on the Internet gets scrapped, classified, analysed, indexed by bots, AIs for legitimate or malicious reasons.
I strongly believe that there are use cases when we might need our content to be hosted on big platforms (such as Twitter, Reddit, LinkedIn, etc.) but not readable to all, specifically bots and AIs.
That is why I created Redakt, a free & open-source zero-click decryption tool, to decrypt automatically from your browser all texts encrypted with Redaktâs public key.
I immediately have some questions, but I guess the main one is: whatâs stopping these scrapers from decrypting Redakt messages, given that all messages are encrypted by the same key?
I also worry that people would read âencryptionâ and assume it is safe to use to hide private messages from other parties or their messaging provider, when that doesnât appear to be the case. It might be worse than not using Redakt at all in such a scenario, because I think the way your extension works is SaaS-based, where the message is sent to your API for encryption? With how this currently works I wonder if âobfuscationâ would be more appropriate.
No! The encryption/decryption is entirely done locally by your machine. The extension does not communicate with anything. You can verify this by checking the source code of the extension and also by checking your network inspector while using Redakt.
Technically it is encryption as I use AES encryption via the CryptoJS library. But you are right it is poor and symmetric encryption that can not be used for security purposes. That is why I called the extension âRedaktâ and not âDecryptâ or âProtektâ. What you suggest is to completely remove words related to âencryptionâ as they carry a strong security feeling? Thatâs a great point, âobfuscateâ or âredactâ works. Anything else to improve wording?
I assume that most scrappers wont as the scrapping job is often carried by bots that scraps billions of data points âin clearâ.
The v.1 aims to get rid of the most common bots, but I entend to add more encryption options (symmetrical and asymmetrical) so users can choose the level of privacy (security?) they want.
I thought about something like that:
v.2: Encryption using a custom key that can be shared (AES)
v.3: Encryption using key pairs (PGP)
All of this while make it as easy as possible for users to encrypt/decrypt their content.
Because I use these myself. Iâll create a Mastodon account as Iâd like to share Redakt as well there. Any instance to recommend? Fosstodon seems like the right choice.
Redakt is a new project, I created a specific account in order to gather all repositories on the same account.
To be honest, it is actually the first time I communicate consistently with a single account/identity (ie. Alex Touzovitch & Redakt).
Got it, I was just assuming the browser extension merely communicated with redakt-api, I didnât look at the extension code itself. That is better, but then it has the separate issue that you are distributing the private key with the browser extension, right? (Well, thereâs no âpublicâ or âprivateâ key at all presumably, thereâs just the one key used for symmetric encryption/decryption)
As you noted that wouldnât be a security issue within your targeted threat model, since the intent is just to obfuscate publicly posted information, but it does mean that scrapers can easily decrypt any content they come across without limits. I had thought the API might be used by the browser extension in order to rate-limit scrapers or something. At least the risk of you being malicious is negated in the context of private messaging
I think that security through obscurity is fine at this scale, but I wonder what your goals are, because surely once enough people use this extension then scrapers will take it seriously, so it sort of only delays the inevitable.
Absolutely, this key is actually not well hidden. You can find it with very little digging. As you said, itâs not strictly a security tool.
Exactly. Redakt aims to add a bit more privacy in the context of public messaging. Private messaging seems pretty much covered with E2E encrypted tools.
I think itâs a race. In the current state of public messaging, I think Redakt gets the job done. Then we can add more features to avoid detection and increase the complexity of Redakt encrypted content.
The idea is to reverse the âprivacy gameâ when it comes to public content.
Instead of many users changing their online behaviour to face few privacy-threatening actors ===> Few privacy-threatening actors make more effort to gather more and more users generated content that keeps to be more and more heterogeneous and complex (with the next Redakt versions).
The idea is to prevent all âbad-actorsâ to scale their comprehension of the content they own (or stole).
