[liberationtech] Trsst: An Open and Secure Alternative to Twitter

Rianna Morgan rmorgan at trystero.is
Tue Aug 20 15:57:50 PDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/18/2013 01:47 AM, Edwin Chu wrote:
> I came across this project in kickstarter. Subscribers of this list
> may find it interesting. (Btw I am not associated with them)
> 
> --
> 
> Welcome to Trsst: An Open and Secure Alternative to Twitter
> 
> Post your thoughts, share links, and follow other interesting
> people or web sites, using the web or your mobile or any software
> of your choice.
> 
> All of your private posts to individuals or friends and family are
> securely encrypted so that even your hosting provider - or
> government - can't unlock them. All of your public posts are
> digitally signed so you can prove that no one - and no government -
> modified or censored your writings. You control your identity and
> your posts and can move them to another site or hosting provider at
> any time. Think of Trsst as an RSS reader (and writer) that works
> like Twitter but built for the open web.  The public stuff stays
> public and search-indexable, and the private stuff is encrypted and
> secured.  Only you will hold your keys, so your hosting provider
> can't sell you out.
> 
> 
> http://www.kickstarter.com/projects/1904431672/trsst-a-distributed-secure-blog-platform-for-the-o/description
>
> 
> 
> 


Today on Twitter I (@arRMorgan) had an extended engagement with the
Trsst (@TrsstProject) developers.  In this email, I have included my
questions and the Trsst Team's responses, as well as any follow-up
commentary I had.  Hashtags and other such characters have been
eliminated.

Overall, I was very pleased with the speed, clarity, and content of
their responses to my questions.

Cheers,
Rianna Morgan

*************************************************************************
Q1: Will the TrsstProject Free and Open Source? Are there plans to
open the source at any point?
https://twitter.com/arRMorgan/status/369883363768676352

Trsst: Yes. We're starting with the critical bit - the client - out in
the open in JS w/ off-the-shelf open-source. Needs many eyes.

Trsst: The server will follow because the first cut is kind of
quick-and-dirty code to test the client, and server is dumb anyway.

RM: JavaScript? Rather concerning for me, honestly. Most
#cryptographers I've read seem to think it lends itself to insecurity.

***********************************************************************

Q2: With TrsstProject does all #encryption take place client side? Not
totally clear from white paper.
https://twitter.com/arRMorgan/status/369884124128882688

Trsst: YES. Client-side crypto is what makes it work. Reference impl
is in JS, but we want to see many hardened native clients.

Trsst: We like to say: it's all https get and post, so you can write
our own client with openssl+curl+bash if you trust your binaries

RM: That is freaking awesome though! Client-side is a great way to
make dragnet #surveillance difficult. Very glad to hear that.

**********************************************************************

Q3: In what jurisdiction does @TrsstProject intend for its servers to
be located? https://twitter.com/arRMorgan/status/369886356840783872

Trsst: We're in the US, but doesn't matter given that the servers
don't store anything non-public that isn't encrypted.

Trsst: If your client randomizes which trsst servers you pull from and
post to, then the connection logs won't be useful either.

**********************************************************************

Q4: Will TrsstProject have a function for password retrieval?
https://twitter.com/arRMorgan/status/369892215520112640

Trsst: We never see or hear the password used to encrypt your
keystore, nor do we want to. Probably the weak link wrt consumer UX.

**********************************************************************

Q5: For the record, will @TrsstProject ever have access to user's
secret keys? https://twitter.com/arRMorgan/status/369892369845329921

Trsst: No server -- not ours not anybody -- ever decrypts your
keystore. Only happens inside the client and never leaves your PC.

Trsst: For consumer UX need to figure out how to move a keystore from
one device to another (PC+mobile), but never decrypted.

**********************************************************************

Q6: Can end users run @TrsstProject peers?
https://twitter.com/arRMorgan/status/369893971897495553

Trsst: YES. PLEASE DO. :) A trsst server is just an http server with
agreed upon conventions for accepting and relaying RSS snippets.

RM: That is so dang cool! Seems like y'all really get the what and why
behind a decentralised service.

**********************************************************************

Q7: What licence will you use for the TrsstProject's software?
https://twitter.com/arRMorgan/status/369894066340646912

Trsst: We always lean GPL but people have issues, so #Apache, #MIT,
all/none of the above? Dunno honestly.

RM: FWIW, I'm a big fan of the GPL!

**********************************************************************

Q8: Will 'following' an entity on basically TrsstProject be importing
a GPG public key? https://twitter.com/arRMorgan/status/369897142682267649

Trsst: Each blog's public key is also it's unique id, so it's like
subscribing to an rss feed, but you can request from any server

**********************************************************************

Q9: What sort of tasks/needs does TrsstProject have for people who
want to help but cannot afford to donate at this time?
https://twitter.com/arRMorgan/status/369897395959517184

Trsst: We know can get backers if we can get visibility, so talking us
up everywhere on the internets now is worth its weight in gold

**********************************************************************

Q10: Will cryptocurrency functionality of TrsstProject be pluggable to
support other currencies (e.g. litecoin) or is bitcoin embedded?
https://twitter.com/arRMorgan/status/369900812396285952

Trsst: Honestly the currency stuff seems to be putting people off the
project right now, like they're going get jailed, etc

Trsst: But that said, the keygen routine could be anything really, as
long as it encoded to a not-too-long string

RM: Yeah, cryptocurrency is under a fair bit of heat now and is just
in its infancy.

RM: Having flexibility wrt which cryptocurrencies can be used will
extend the project's longevity.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJSE/RuXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwN0JEQTRBQ0Q5ODYyODdEMDEzNDM3MDJE
Q0M2MTM0NkNCOTcyRUEyAAoJENzGE0bLly6i7cYP/iux7XTdYv4qtTpraLXoApAl
EVsjYcvUMVwoe16PMJZhGESam2TKNElOswgohLsRCwK4yijrxvrWGVBiVK93JfV2
0V3iolGbkEghJfmZm+vYpkiv1NgFdp8l4UEHUEAJJOFloW/MPeIhOCnIR4EgCRIq
VsK9D1sPgrCLOCnkrJKiYcdXVyrQ7U5bhjgV5tSauNMsxcXrZjGAQrUb1p/9PZZV
mvhdVr+99ORoRP14nv9/RqVO9SDgkPulP9unvTaZ8ejbA8jyU94YmjvtZFPH6H7C
glKfSsEDrlJNOSOQIUYDIrbJfEdTfBK3ta6KTfUSfGRkHFaIon6kwUwISl+YAFzW
2nrskc5467/jlVMLBIUTZf2HJZ6+SnMw0D5PSAkY916uq4bROYgzA9y1ccep6cEY
pRaVQwJ2Tf8hbL2Jw/35yXIsH0Q/0/YZRHMXSVT7umCTbZWoXtbQOBmrh6f4BFCf
XQ+SB92Tk69Y9TSmZ6hrjhjNQbCovJz8IfeytBKggdb3VNuXq8eDtyqGD2wOenYR
+R/HA6AWmUF1AUZy3W28fOzdbtbOLp3RefZehQztIYp4yjpHjMf5B/2+Z5Yc5jxX
J+04LlL57uVmrdtvCQ47RKC/n5+Wei69WrxEENSaDUTvVLc/ZYfMXVvOuI/eawaa
QiofAj4a3LH+xE/XTQPw
=tyXt
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list