search

scidsg / hushline

Hush Line connects whistleblowers with organizations and people who can help.
https://hushline.app
GNU Affero General Public License v3.0
77 stars 21 forks source link

Encrypting the PGP public key is unnecessary #582

Open brassy-endomorph opened 2 months ago

brassy-endomorph commented 2 months ago

Is your feature request related to a problem? Please describe.

PGP public keys do not need to be encrypted.

https://github.com/scidsg/hushline/blob/53c65eee7bf80365b6889fcb51cda268c68acd0e/hushline/model.py#L127-L136

Describe the solution you'd like

Store the field as plaintext

rmlibre commented 1 month ago

Let's not waste energy on this, which is the wrong direction. Conversely, there's no reason why everything shouldn't be encrypted. In fact, doing so has negligible cost & is easily a privacy feature. Whereas pushing for decrypting PII metadata is more of a YOLO feature.

Related to (#289, #411)

brassy-endomorph commented 3 weeks ago

Noting that this key is exposed to the frontend and anyone can scrape users in the directory and that any users who posts a link to their profile has similarly exposed this info. I don't think encrypting it buys us anything in terms of privacy.