GitHub - eddieoz/openxrypt: Secure Direct Messaging for Social Media \ stacker news ~privacy

GitHub - eddieoz/openxrypt: Secure Direct Messaging for Social Media github.com/eddieoz/openxrypt

588 sats \ 11 comments \ @eddieoz 13 May privacy

OpenXrypt is a Chrome extension that provides secure and encrypted communication on social media platforms, particularly for direct messages (DMs) on X (formerly known as Twitter). It uses the OpenPGP encryption standard to help protect the privacy of your communications and ensure the confidentiality of sensitive information.

Key Features

End-to-End Encryption: Encrypts messages using OpenPGP to ensure only the sender and recipient can access the content.
Automatic Encryption and Decryption: OpenXrypt seamlessly integrates with X (formerly Twitter) direct messaging, automatically encrypting and decrypting messages using OpenPGP standards, ensuring that sensitive information remains protected during transmission and storage.
Passphrase Management: Users can securely set, reset, and manage their passphrases, enabling them to maintain control over their encryption keys and ensure the confidentiality of their communications.
Key Management: OpenXrypt provides a user-friendly interface for adding, editing, and deleting GPG public and private keys, allowing users to manage their encryption keys and those of their contacts with ease.

view all related items

100 sats \ 6 replies \ @ZezzebbulTheMysterious 13 May

OpenPGP is a legacy ass protocol. It lacks forward secrecy.

We need something newer and better. (Signal, for example).

The idea of an overlay encoding for social media is good, but we can do much better than OpenPGP!

150 sats \ 3 replies \ @eddieoz OP 13 May

Thank you for the feedback!

I believe GPG is a legacy, but far from obsolete. There are definitely new protocols and developments, but this extension does not intend to be a full messenger.

As you said, it is an overlay encoding for social media. The tool was designed to not make online transactions like negotiating keys. It is designed to be simple, light and do everything locally.

I am willing to implement other functionalities and evolve the tool, but as a first version, I think it is safe enough to solve the problem of exchanging private messages on Twitter (and other social media soon)

10 sats \ 2 replies \ @ZezzebbulTheMysterious 13 May

The problem is that openpgp has a massive footprint and supports many legacy key formats. It is from a time of “cryptoagility”, which is an anti goal today. You don’t want to be using RSA keys in 2024.

have a look at saltpack

0 sats \ 1 reply \ @eddieoz OP 14 May

I recommend using ECC 25519 in README because of RSA's massive and slow keys. It is secure, fast, and widely used today.

GPG is not 'anti-goal'. It is about security and anti-surveillance.

0 sats \ 0 replies \ @ZezzebbulTheMysterious 14 May

You misunderstand me — “cryptoagility” is an anti-goal today. OpenPGP was designed for “cryptoagility”, so it runs against modern cryptographic engineering principals. This is yet another reason why OpenPGP is bad.

I agree curve25519/ed25519 is what you want to use, that’s why I recommended a modern cryptography library like NaCl and Saltpack for encoding. Not OpenPGP.

It’s not enough to not recommend RSA, a good cryptosystem doesn’t support bad algorithms. Really you shouldn’t recommend anything, because users have no clue. You simply abstract sensible params for the user.

63 sats \ 1 reply \ @03d99caedc 14 May

Then maybe you should do it?

0 sats \ 0 replies \ @ZezzebbulTheMysterious 14 May

No can do, contractual obligations, sorry

0 sats \ 3 replies \ @erict875 14 May

It seems this relies on sender and receiver to both have the chrome plug-in installed?

0 sats \ 2 replies \ @eddieoz OP 14 May

Yes, and both should exchange their public keys between them. This is because the plugin manages to encrypt the messages and decrypt the messages they identify.

Since there is no connection to APIs or the backend, imagine Twitter as the backend infrastructure for the messaging and the plugin as a layer over Twitter that handles the e2ee encryption.

0 sats \ 1 reply \ @erict875 14 May

That's what I thought. The extra step of exchanging public keys can be challenging, and is inconvenient, just like with pgp. But nevertheless, it's a good thing to have for those few who really need it.

0 sats \ 0 replies \ @eddieoz OP 15 May

Unfortunately yes. PGP has issues with usability, but it is safe.

The idea was to create something fast, reliable, simple, easy to verify, and trustworthy. This is the first version, and a lot can change.

For our community, I think it is better to release something safe and discuss what to change in usability than the opposite.

With the core working properly, the goal is to develop UX even if it means changing algos, etc. :)