No Chat Reports

No Chat Reports

43M Downloads

Plausible deniability

SoniEx2 opened this issue ยท 4 comments

commented

Idea

Publish the expired signing keys.

Reasoning

https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/

but TL;DR: publishing expired/rotated keys provides what's known as "plausible deniability". in the context of minecraft players, who are generally not politicians btw but who are surprisingly often targeted with spite/revenge, this would provide a stronger level of privacy than that currently offered by mojang.

Other Information

No response

commented

it's about revengeful pieces of shit saving signed logs from ppl they hate so they can publish them at a later date to try and ruin these ppl's lives.

this is, in fact, extremely common. especially with kids on the internet. "oh that kid was slightly too annoying let's save logs and dump them in 20 years to drive them into suicide or whatever." Mojang has provided no safeguards against this, so we should provide them ourselves.

commented

Plausible deniability from or for who?
This sounds like something one would argue against in courts, not when someone got banned and is just contacting Microsoft support (who probably doesn't care or understand this concept).

Additionally, a third party publishing the keys of a first party may cause legal issues, even if players deliberately opt-in.

commented

Signed logs... so the threat model is malicious server owners/admins, rather than players in them?

Okay, but that raises several questions:

  • For harassing/spreading misinformation, do the logs even need to be signed? Aka would anyone care and verify?
  • How would one verify that either way? There should also be a tool for it then, which should be constantly maintained to match different algoritms that different Minecraft versions have.
  • Would this even protect the victim from simple message deletion in between?
  • How would this protect the victim from partially released information (aka missing surrounding context)?

I'd say if this is implemented at all, it could be opt-in and strictly clientsided, so that players who even visit suspicious servers (where the threat model is not the players in it), could achieve the goals on their own.

commented

since other players receive the signed messages (so they can verify them locally) it's not just malicious servers.

having them signed makes it easier to convince others to believe you. you can have harassment without signatures but signatures make it more convincing.

(ofc, unless you create the ability for anyone to forge their own historical logs.)