๐Ÿ“Œ Private Messages?

โš“ Dev    ๐Ÿ“… 2023-11-01    ๐Ÿ‘ค mimo    ๐Ÿ‘๏ธ 411      

mimo

Warning

This post was published 120 days ago. The infomation described in this article may have changed.

I just found Freedit by lurking on another social site with a similar name (you could guess which one Iโ€™m referring to). Iโ€™d love to build a community based on the software, but I donโ€™t think itโ€™s really complete without the ability to send and receive private messages between users. Is there a roadmap or planned feature for this within Freedit?

๐Ÿท๏ธ features

freedit    2023-11-01 ๐Ÿ‘ 2 ๐Ÿ‘Ž

I had thought about doing this before. If private messages are provided, asymmetric encryption (such as RSA) should be used. However, if it is decrypted on the client side, JavaScript must be enabled; if it is decrypted on the server side, there is no guarantee that the private key will not be saved on the server side. I havenโ€™t found a suitable method yet.

1

mimo    2023-11-01 ๐Ÿ‘ ๐Ÿ‘Ž [op]

I agree that encryption is desirable, but since itโ€™s impossible to implement without JS, I think it would still be preferable to have plaintext private messages as long as the user is made aware that the content could still potentially be read by the server admin. This could be combined with a recommendation that users who want strong privacy should encrypt their messages with a local PGP application like Alice and Bob (aliceandbob.io) prior to sending them.

2

mimo    2023-11-01 ๐Ÿ‘ ๐Ÿ‘Ž [op]

Actually, apparently SecureDrop (which specifically advises users to disable JavaScript in the Tor browser) is working on a new (apparently Rust-based) end-to-end encryption protocol called โ€œRedwoodโ€ for their next major release. Their current web server doesnโ€™t use JavaScript, but I donโ€™t know if that will continue to be true for this system (or if it will continue to use a web interface). But it would be interesting to see how they implement it. If itโ€™s a non-JS web end-to-end encryption protocol (especially if itโ€™s written in Rust, as it seems to be) then it could be a good basis for encrypted messaging and file sharing here, since thatโ€™s what itโ€™s designed for in SecureDrop.

Link 1: https://securedrop.org/news/future-directions-for-securedrop/ Link 2: https://github.com/orgs/freedomofpress/projects/17/views/5?filterQuery=encrypt

3

freedit    2023-11-04 ๐Ÿ‘ ๐Ÿ‘Ž

Thanks for your info. I think we should decrypt msg in server side and keep freedit js-free.

4

freedit    2023-11-13 ๐Ÿ‘ 1 ๐Ÿ‘Ž

Iโ€™m developing end-to-end private messaging for freedit. It encrypts messages in the userโ€™s browser, so JavaScript needs to be enabled.

In order to use e2e messaging (receive private messages) the user must upload a public key or generate one (also in the client with a browser).

The public key is stored in the userโ€™s profile and is used to encrypt messages sent to the user. The only supported key-agreement algorithm is ECDH. And the only supported encryption algorithm is AES-256-GCM.

Iโ€™m not familiar with cryptography and JavaScript, and Iโ€™m strggling to implement it and Iโ€™m not sure if Iโ€™m doing it right. If you are familiar with cryptography and JavaScript, maybe you can help me.

Web Crypto API

Example

rsa-webcrypto-tool

5

freedit    2023-11-26 ๐Ÿ‘ ๐Ÿ‘Ž

Now, you can test to send e2ee(end to end encryption) messages.

In order to use e2ee msg, your receiver must generate a key pair and upload public key. So if you want to receive e2ee msg, you must do the same.

There are some bugs that you may not decrypt your msg. (I donโ€™t know why). So youโ€™d better send one msg to yourself to make sure you can decrypt your msg.

6