Viewing a single comment thread. View all comments

kandavel OP wrote

Yes, the data is encrypted using AES, so decrypting is impossible. Please do check the workflow in GitHub. We have made sure it does not only rely on obscurity.
I get this concept of finding out secret message, but it is not obvious as we use zero-width characters (completely invisible ).
Moreover, it relies on the fact for hiding in plain sight like in WhatsApp, Twitter, Messenger etc. Not even 1 out of 10 would be ready to check your text messages for invisible characters. Even if found it's impossible to get the secret without password \

I believe the 'not obvious factor' makes it cool and unique(most steganography tools are based on hiding in image or audio or video files) as this hides secret in strings which can be shared all over social media without being recognised

2

another_i wrote

I think the alice-bob-warden disclaimer in the repo README, is a fair and accurate concession.

Are you the author of the lib?

2

masque wrote (edited )

Obviously the encrypted message is safe. I only meant that it "relies on security through obscurity" as far as the goal of hiding the fact that you're passing messages is concerned.

Your disclaimer in the README suggests that this is only an issue in the rare circumstance where someone is "actively sniffing your data," but my point is that even in the cases you describe as appropriate uses, you're still relying on people not knowing that you could be hiding secret messages in text.

To give a concrete example: one of the uses that you claim is appropriate is watermarking forum posts (presumably in order to detect plagiarism). But if the person planning on plagiarizing your post is aware of this tool, they can check for extraneous invisible characters and remove them. So you're relying on the adversary just not knowing about this method of hiding information, which is security through obscurity.

EDIT: To more directly address your comment, rather than just the README: You say "Not even 1 out of 10 would be ready to check your text messages for invisible characters," but that's basically saying "security through obscurity is okay in this case because it's very obscure," or possibly "no one cares anyway" (in which case any discussion of security seems kinda pointless, and this is more of a fun game between friends than a serious security tool).

1

kandavel OP wrote (edited )

I get that and we've discussed the same in readme file under "Important" -Alice-bob-warden disclaimer. We accept there is a threat model and documented in Readme. I believe it is a small contribution to the field of text steganography and way more to go!

1