@EnjuAihara Doesn't work. Idea is you can't be held responsible or legally compelled for anything if it's all encrypted and you comply when asked. If the entire drive is encrypted then you have the keys to unlock it. It's as useless as it gets. But if each request includes a private key you can then not log you can't be held responsible

@applejack wheres the profit if i cant look at the files

@EnjuAihara The profit is it's much harder to shut you down but you can still get the private keys when someone reports. Plus actual profits from selling/ads

@EnjuAihara @applejack applejack is right tho, if you want zero knowledge, you have to have the clients encrypt their files before uploading them

@KayFaraday @applejack but the point of it is that you have knowledge

@EnjuAihara @applejack i don't understand your idea then

@KayFaraday @EnjuAihara That can't be done unless you expect people to enable JS, but you can encrypt it server side and not store any knowledge of it

@applejack @EnjuAihara but if you encrypt it server side, you can decrypt it server side, right?

@KayFaraday @EnjuAihara Theoretically, yes, if you store the private key. The idea is you don't do that for your own benefit instead of the client trusting you with secrets

@applejack @KayFaraday just save the files to /dev/null for extra security

@applejack @KayFaraday yeah js with tor is baka

@EnjuAihara @applejack disagree; sometimes it's necessary

@EnjuAihara @applejack would you rather that they be forced to download some local client instead? i mean sure, that's more secure than the web, but way less convenient

@KayFaraday @EnjuAihara Honestly, yes. People are expected to run python scripts to solve captchas for some sites even on the clearnet. Proof of work token shit. You could make a python script in just a couple dozen lines that even tech-illiterates can read over and understand is safe that just hashes a key, downloads a url, and decrypts it with a key and saves it to disk

@KayFaraday @EnjuAihara @applejack
>convenient
>Tor

@miria @EnjuAihara @applejack relatively speaking, anyway, it's more convenient than downloading some software and configuring it to use the Tor socks proxy or whatever

@KayFaraday @EnjuAihara @applejack Better idea: don't use JavaScript, because every single time someone has been caught using Tor it has been due to JavaScript

@miria @EnjuAihara @applejack also by compromising the server over clearnet SSH

@miria @EnjuAihara @applejack and by doxing the owners

subpoenaing coffee shop wifi

it's not just JS compromises

@KayFaraday @EnjuAihara @applejack None of that can deanonymize the user except the coffee shop Wi-Fi which is an OPSEC problem and not related to Tor. JavaScript, on the other hand, can, and has.

@miria @EnjuAihara @applejack oh I see, I was referring to the owners

@KayFaraday @EnjuAihara @applejack There's almost no point in using tor at that point

@Chizu @applejack @EnjuAihara lol what

JS on an onion does not mean that the client suddenly can't verify the code, that the site operators can't publish the source code, or that the code is automatically doing anything nefarious

if you want a simple zero-knowledge pastebin in onion-space, you have no choice but to use JS

@KayFaraday @applejack @EnjuAihara For a targeted site, compromised JS renders tor quite useless

@Chizu @applejack @EnjuAihara a compromised site is… compromised, regardless of JS being sent to the client. Think about it, if they can control what JS the server sends, they can most likely control what the server does, as well.

@Chizu @applejack @EnjuAihara I also have no idea what you mean by it being rendered useless. Tor has a lot of JS fingerprinting resistance, and JS doesn't make it *easy* to deanon someone, just easier. if you don't want js just turn it off but don't spread fud that will turn people off from using Tor altogether just because they need JS. It's still way better than the alternative.

@KayFaraday @applejack @EnjuAihara But if you are using tor without JS enabled, you would have to download something from the server for you get compromised yourself. But it isn't (as far as I know) possible for other languages that sites serve to compromise or profile the client like JS does.

I am pretty sure I saw somewhere that the feds have used this JS attack on a number of cp tor sites.

@Chizu @applejack @EnjuAihara link to that please?

@Chizu @KayFaraday @applejack this? https://youtu.be/VWY6J3sHKKQ?t=356

@KayFaraday @Chizu @EnjuAihara That's not really the point. Without JS the only method they have of getting info is a few http headers and an obfuscated ip

@applejack @Chizu @EnjuAihara yeah and what will they get with JS that is actually useful without running a fingerprint database or some such?

@KayFaraday @Chizu @applejack then just use pgp or something

@EnjuAihara @Chizu @KayFaraday Well, that defeats the point of it. People already just encrypt zip files and put it on the clearnet