This appears to be a neat DLP bypass. The encryption is client side and evades network DLP, even with SSL interception.https://twitter.com/firefox/status/999293897661603841 …
-
-
Ah OK. How does that work then? Surely the key is also therefore in the resulting link? Which the server necessarily knows?
-
Here is a link to explanation of the design.https://twitter.com/lmorchard/status/999406294602797058?s=20 … the server does not know the
#fragment which is generated client-side. Same mechanism as bookmarks to a heading within a long page. -
Thanks for the link and the Noddy explanation (which is required for me!). Still seems like the key is included in the link, so anyone who has the link can decrypt?
-
Yes, it's in the link. But the link is generated locally. And the decryption key portion of the URL is never actually sent to the server.
-
Thanks for your clear responses and your patience with my ignorance, hopefully this is also helpful to some others with similar mental capacity to myself

-
Check https://en.m.wikipedia.org/wiki/Fragment_identifier … for more info. "Clients are not supposed to send URI-fragments to servers when they retrieve a document"
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
:
