Plausible deniability - Githubissues

Aizistral-Studios / No-Chat-Reports

Disable Player Chat Reporting and make user messages untrackable.

https://modrinth.com/mod/no-chat-reports

Do What The F*ck You Want To Public License

946 stars 79 forks source link

Plausible deniability #462

Open SoniEx2 opened 6 months ago

SoniEx2 commented 6 months ago

Idea

Publish the expired signing keys.

Reasoning

https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/

but TL;DR: publishing expired/rotated keys provides what's known as "plausible deniability". in the context of minecraft players, who are generally not politicians btw but who are surprisingly often targeted with spite/revenge, this would provide a stronger level of privacy than that currently offered by mojang.

Other Information

No response

Madis0 commented 5 months ago

Plausible deniability from or for who? This sounds like something one would argue against in courts, not when someone got banned and is just contacting Microsoft support (who probably doesn't care or understand this concept).

Additionally, a third party publishing the keys of a first party may cause legal issues, even if players deliberately opt-in.

SoniEx2 commented 5 months ago

it's about revengeful pieces of shit saving signed logs from ppl they hate so they can publish them at a later date to try and ruin these ppl's lives.

this is, in fact, extremely common. especially with kids on the internet. "oh that kid was slightly too annoying let's save logs and dump them in 20 years to drive them into suicide or whatever." Mojang has provided no safeguards against this, so we should provide them ourselves.

Madis0 commented 5 months ago

Signed logs... so the threat model is malicious server owners/admins, rather than players in them?

Okay, but that raises several questions:

For harassing/spreading misinformation, do the logs even need to be signed? Aka would anyone care and verify?
How would one verify that either way? There should also be a tool for it then, which should be constantly maintained to match different algoritms that different Minecraft versions have.
Would this even protect the victim from simple message deletion in between?
How would this protect the victim from partially released information (aka missing surrounding context)?

I'd say if this is implemented at all, it could be opt-in and strictly clientsided, so that players who even visit suspicious servers (where the threat model is not the players in it), could achieve the goals on their own.

SoniEx2 commented 5 months ago

since other players receive the signed messages (so they can verify them locally) it's not just malicious servers.

having them signed makes it easier to convince others to believe you. you can have harassment without signatures but signatures make it more convincing.

(ofc, unless you create the ability for anyone to forge their own historical logs.)