1. 9

  2. 2

    Original author here, let me know if you have any questions

    1. 1

      I guess the purpose of this is to stop employers who use TLS mitm systems or who have access to data-at-rest on employee devices from de-anonymizing users. To understand whether this is effective, I’d like to know:

      1. Does Blind use a different encryption key for each user? If not, this system is futile as an employer can just get the global key by signing up themselves.
      2. Does Blind send keys every page-load, or just once to be stored locally? If the key is stored, then it’s accessible to employers with data-at-rest access. An employer with TLS decryption can save the key from when it is first distributed or last sent.
      3. If Blind uses localStorage, does it use the key to encrypt this.