Encrypted blog entries
Tue Oct 3 21:48:44 EST 2006
Most social networking sites have a mechanism whereby only the friends of a person can see their blog entries. The standard way to do this is to have a back end database that keeps track of the users logged in to the system and allows them access to the entries only if they are in the list of friends of a given user. This is a server side approach that has a couple of disadvantages:
- increased server load to keep track of the state of the system
- lack of security against eavesdroppers as it can be seen when access to a restricted page is attempted
The second point deserves further discussion. Consider a high traffic website that contains some entries that are restricted to those people meeting a certain criteria eg a news site that restricts access to full articles to subscribers, a blog with personal entries restricted to close friends, www.al-queda.ter restricting details of plans to the true believers, etc. In the server side approach the restricted entries are reached through links that check if the user is allowed access to the entry. Traffic analysis can tell who these users are (although onion routing aleviates this to some extent).
Here is the idea: encrypt the entry and ascii armour it (base64
encode or escape non-printable characters for example).
Include an implementation of the decryption
algorithm in the javascript of the page, and a field next to each
entry to allow of password entry (or detect cookie? Setting cookie
initially could reveal identity). Entry of the password decrypts the
entry on the client side, no suspicious traffic to the server.
Passwords are distributed offline or through trusted discreet
channels.
To do: Implement in javascript
- binary encoding/decoding function eg base64 (but something that encodes alphanumerics to alphanumerics is better - maybe just escape non-printable characters). The idea here is that an encoded entry can still be displayed on the webpage.
- rc4, DES, whatever
- function to read in password and decrypt the entry based on that password. Print the result with the binary encoding function so that an unsuccessful decryption is still printable.
[permlink]