The Alpha Version's Minimal Functionality
Here I give the high level overview of the principal functionality we are targeting for the Alpha version of Privly. We can pack more functionality into this release, but these are the minimal requirements for the Alpha version. The development philosophy for the Alpha version is "Basic Security and Usability." We already have the means for injecting content into websites, but we need to add more controls and protect content at the storage location. This means we are going to implement one encrypted sharing method, and the ability to easily select Privly operation modes from the user interface.
- Privly-type links- Links that return content for injection into the page. These are placed on the host page.
- Host page- the place you submit Privly-type links to, like a social network
- The extension- The software we add to your browser
- Ciphertext- Encrypted text
The First Encrypted Sharing Method: Link-Passwords Only
The first encrypted sharing method we are going to implement will place a password on the link. The processes for posting and viewing content will be as follows:
Posting Content with the Extension
- Before submitting content to the web server, the extension encrypts the content according to a new random password
- The extension sends the ciphertext to the remote server and receives back a link to the ciphertext
- The extension adds the password to the link and submits it to the host page
Posting Content without the Extension
- The user submits content to the content server's web application
- The server encrypts the content with a random password and gives the end user the link with the password appended. The server does not log the random password.
- The user pastes the link with the password to any website
Reading Content with an Extension
- The browser extension discovers a Privly-type link on a host page visited by the user
- The extension requests the ciphertext from the remote server without sending the password found on the link
- The extension decrypts the ciphertext according to the Link-Password
Reading Content without an Extension
- The user clicks the Privly-type link
- The password on the link is sent to the content server (it does not log the password)
- The content server decrypts the content with the password (it does not log the decrypted content)
- The user views the decrypted content on the content server's web application
The Advantages of Link-Passwords Only
- Users don't need to have an extension to view content, but we can prompt them to install the extension every time they click on Privly-type content. Without this sharing model as the starting point, it will be difficult to get users to adopt the extension. This is the first step of our roll-out strategy.
- The data is protected from the host page by a terms-of-service on the storage server and optional sharing rules placed on the content
- Compromising the data requires compromising both the host page, and the content server
- Extensions that don't support the cryptography library yet can use the decryption facilities of the remote server
The Disadvantages of Link-Passwords Only
- The remote server has access to the password if the link is read without the extension
- If someone compromises the security of the host page and the content server, they have access to the decrypted content
User Interface: Active/Passive/Disabled
The challenge of interfacing with all websites, is preventing the extension from mangling the layout of host-pages. We can build out a lot of functionality in this area, but the first step is to give users easy control of when the extension will run. To this end, all extensions must support at least three modes of operation:
- Active Mode- The extension replaces all properly formatted Privly links with the referenced content when the links are first detected by the extension.
- Passive Mode- The extension replaces properly formatted Privly links with the referenced content only when the user clicks the link
- Disabled- Privly does not run on the host page
Different browsers support different user interfaces, but the general guide for designing the user interface for mode selection is giving an icon that toggles active and passive modes.
This post was intended to give a high level overview of the immediate development effort. If you want to contribute another aspect, or have questions, feel free to develop it and submit a pull request, or ping smcgregor on the #privly room of irc.freenode.net.