>advertise it
>profit
@EnjuAihara store contents encrypted and decrypt when serving
@EnjuAihara Doesn't work. Idea is you can't be held responsible or legally compelled for anything if it's all encrypted and you comply when asked. If the entire drive is encrypted then you have the keys to unlock it. It's as useless as it gets. But if each request includes a private key you can then not log you can't be held responsible
🇩🇪:youjo-pink:
@EnjuAihara@youjo.love
@EnjuAihara The profit is it's much harder to shut you down but you can still get the private keys when someone reports. Plus actual profits from selling/ads
@EnjuAihara @applejack applejack is right tho, if you want zero knowledge, you have to have the clients encrypt their files before uploading them
@EnjuAihara @applejack i don't understand your idea then
@KayFaraday @EnjuAihara That can't be done unless you expect people to enable JS, but you can encrypt it server side and not store any knowledge of it
@applejack @EnjuAihara but if you encrypt it server side, you can decrypt it server side, right?
@KayFaraday @EnjuAihara Theoretically, yes, if you store the private key. The idea is you don't do that for your own benefit instead of the client trusting you with secrets
@EnjuAihara @applejack disagree; sometimes it's necessary
@EnjuAihara @applejack would you rather that they be forced to download some local client instead? i mean sure, that's more secure than the web, but way less convenient
@KayFaraday @EnjuAihara Honestly, yes. People are expected to run python scripts to solve captchas for some sites even on the clearnet. Proof of work token shit. You could make a python script in just a couple dozen lines that even tech-illiterates can read over and understand is safe that just hashes a key, downloads a url, and decrypts it with a key and saves it to disk
@miria @EnjuAihara @applejack relatively speaking, anyway, it's more convenient than downloading some software and configuring it to use the Tor socks proxy or whatever
@miria @EnjuAihara @applejack also by compromising the server over clearnet SSH
@miria @EnjuAihara @applejack and by doxing the owners
subpoenaing coffee shop wifi
it's not just JS compromises
@miria @EnjuAihara @applejack oh I see, I was referring to the owners
@Chizu @applejack @EnjuAihara lol what
JS on an onion does not mean that the client suddenly can't verify the code, that the site operators can't publish the source code, or that the code is automatically doing anything nefarious
if you want a simple zero-knowledge pastebin in onion-space, you have no choice but to use JS
@Chizu @applejack @EnjuAihara a compromised site is… compromised, regardless of JS being sent to the client. Think about it, if they can control what JS the server sends, they can most likely control what the server does, as well.
@Chizu @applejack @EnjuAihara I also have no idea what you mean by it being rendered useless. Tor has a lot of JS fingerprinting resistance, and JS doesn't make it *easy* to deanon someone, just easier. if you don't want js just turn it off but don't spread fud that will turn people off from using Tor altogether just because they need JS. It's still way better than the alternative.
I am pretty sure I saw somewhere that the feds have used this JS attack on a number of cp tor sites.
@Chizu @applejack @EnjuAihara link to that please?
@KayFaraday @Chizu @EnjuAihara That's not really the point. Without JS the only method they have of getting info is a few http headers and an obfuscated ip
@applejack @Chizu @EnjuAihara yeah and what will they get with JS that is actually useful without running a fingerprint database or some such?
@EnjuAihara @Chizu @KayFaraday Well, that defeats the point of it. People already just encrypt zip files and put it on the clearnet
