Home

I think I’ve accidentally created a fully encrypted social media app

We’re having a nice long weekend in the UK and I was trying to figure out how I was going to spend it. I started on a small little game but motivation faltered. That’s when the thought popped into my head, “Boy, I really would like a comment section on my blog”. I then proceeded to stare at my screen for the next few hours. You see the problem is that my blog is stupid simple. It literally just pulls Google Docs and exports them as html pages. Adding a server just for my comments felt kinda painful.

That’s when the thought popped into my head. Wouldn’t it be cool if I had some sort of browser extension that added a comment section to the web pages I visited? So that’s what I decided I would do. Add comments to my blog in the most overly complicated way possible. Because “simplicity”.

But here’s the thing, I don’t really think anyone wants to install a browser extension that records all your browsing history. And that’s when the thought hit me. Would it be possible to store some kind of encryption key so that the server I inevitably connect this to doesn’t actually know what you’re doing?

To cut to the chase, yes I think I’ve done it, and you can find it here. The code quality is a bit messy and I’ll definitely need to have a refactor run next weekend. If you want to install it, just install the chrome extension as a developer.

The really interesting bit is that as I delved deeper into security land, I seem to have accidentally created a social media app. So how do I use it? The flow is simple. When I install the extension, I get this little button that opens a sidebar on any website I visit.

If I go to my followers tab, I can download an identity file that is unique to me. If I want someone to follow me, I send them my identity file. Anyone can become my follower by using this file. When I then go to websites and comment, I send it to all of my subscribers. It sort of inverts the relationship of social media on its head. I’m not going to Facebook to find links from friends. I’m going to the links to find my friends.

So how does it actually work? Very simply actually. When you install the extension, you create an asymmetric key pair and a hash. You then send a subscription to the server with your public key and it sends back to you a unique id. Now lets say someone wants to subscribe to you. You generate an identity file (that’s what I’ve created to prove the concept but you could also imagine something more fun like a QR code). You send your identity file to the person who wants to follow you (outside of this app). In that identity file, it stores your id, and your hash.

They can now subscribe to you by sending a subscription event to the server.

You have to agree you want them to follow you.

When you comment, you create an encryption key to encrypt your comment, and send the key to all of your followers using their public keys. You also hash that final result using your hash to prove it was from you - remember that hash was only generated locally. The reason I took this approach is because it means you can publicly make your identity file available and anyone who wants to follow you can.

The nifty bit is that you could install the chrome extension locally and still trust the server! Okay that’s not the whole story of course. If the server finds out your hash, they can cheat the system. Still, it’s a fun little project.

As a show of good faith, you can find my Bubble Identity here. So why don’t you follow me?