Following on from my thoughts yesterday, where I was longing for a way to do friends-only blog posts on the open web,1 today I came across Stati­Crypt(external link), an open-source utility that lets you encrypt static HTML pages behind a password.

Basically, my thought process went like this: Currently, most Fediverse software is geared around short-form posts. There is software that lets you publish long-form blog posts, but those tend to display in followers’ timelines as a title and a link to the full post… which is not particularly compatible with access control, as it currently stands. And even if long-form posts did display in full, most client apps seriously mangle any formatting, which is also undesirable for a long post that probably does have formatting. So probably, what you really want is for readers to have to click a link to the full post, but also have to go through some kind of authentication process.

A related thought was: well, actually, this blog runs on Hugo, not anything ActivityPub. I would probably prefer to keep all my writing (certainly my long-form writing) unified on a single website – this website – and keep using the Fediverse as more of a supplementary thing. I don’t think you can use StatiCrypt on actual posts processed and managed by Hugo,2 but you could certainly upload encrypted HTML files to your static/ subdirectory.

StatiCrypt even allows for shareable auto-decrypt links, so if you’re actually okay with a shareable link existing for your post, you could make use of that. Maybe you’d make a followers-only post on Mastodon all like, “Hey, I have a new blog post up about what’s been going on with me lately,” with an auto-decrypt link to your encrypted HTML page. (Better, I guess, if you’re using software like GoToSocial where you could restrict your posts to mutual followers, or Bonfire which lets you define “circles” for sharing content to. But you get what I mean.) Of course you can share links to such posts in any other way you share links too, but be careful how you do it. For example, Google in particular has been known to crawl emails sent to or from Gmail addresses to add them to their search engine. You do not want them to do that with an auto-decrypting link. You also need to consider how much you trust your friends or family (and their friends and family, and so on…) not to just spread links to your post like wildfire.

StatiCrypt also lets you encrypt multiple pages with the same password, so it’s not like you need to give all your friends a new password for each post (unless you want to). You could even have a nice little subdirectory, where all your encrypted posts are listed on an index.html page for easy browsing. StatiCrypt offers a “Remember me” feature so readers don’t have to re-enter the password on every new page they navigate to (and your auto-decrypt links can also be auto-“remember me”). You could just send, say, your mum a link to your most recent protected post and she could catch up on all the others without even being aware there is a password. And you could have multiple subdirectories, with different passwords, for different groups of friends who you want to see different selections of posts (e.g. posts for family, versus posts you really do not want family to see… 😂).

As I understand it, if you want to (or need to) invalidate all existing “remember me” sessions and auto-decrypt links, but keep all passwords the same for readers who actually know them, you could just change the “salt” in the config file that posts have been hashed with, and re-encrypt them. This could halt a “wildfire” situation stemming from an auto-decrypt link in its tracks, although you’d probably want to get to the bottom of how the post broke free of its intended audience in the first place.

There are some caveats to StatiCrypt:

  • Each page can only be encrypted by a single password. You cannot revoke passwords for individual readers if you decide you don’t trust them any more. You can only re-encrypt the page with a different password, and tell everyone else who you still trust what the new password is. Or, if you’re paranoid, you could upload a separate copy of the page for every single person who you want to read it, each encrypted with a unique password. Then you could just delete the copy of the page for the reader you lost trust in.
  • The strength of the encryption will depend on the strength of your password. If you use a simple, easy-to-remember word, it could be easily brute-forced by someone carrying out a dictionary attack. The longer the password the better, and it should really be a random mix of letters, numbers and symbols (like what a password manager would generate for you). Of course this would make reading your posts more annoying for non-tech-savvy readers if you don’t share an auto-decrypting link with them, so I guess you need to weigh up how much you want specific people to read your posts vs what risks there are in sharing an auto-decrypt link. (Auto-decrypt links are still clearly less risky than weak passwords, in my view.)
  • In theory, the “remember me” feature could lead to your encrypted posts getting compromised if one of your readers’ browsers gets compromised, because it stores a decryption key in their localStorage. You can set a number of days for the “remember me” status to be forgotten after, but it looks like that only affects anything if the reader actually comes back to your site after that number of days is up (and doesn’t immediately log in again) – the key won’t just auto-delete after the set number of days. So, I guess if you think your posts are so juicy that an attacker might compromise your readers’ browsers just to get at them, disable “remember me”.

Perhaps this post sounds a bit catastrophising, so just remember, even in a closed system like LiveJournal which handled user authentication for you, it was still possible for people to copy-paste or screenshot your posts! Nothing in life is guaranteed. The website itself says:

Disclaimer if you are an at-risk activist, or have extra sensitive banking data, you should probably use something else!

Like, exercise some judgement about what you post, even in an encrypted HTML page, OK? My goal here was to think of a way to do friends-only posts, not doxx myself for shits and giggles just because “it’s encrypted”. There is absolutely stuff sufficiently private that, if necessary, you should send it to specific friends via an encrypted messaging app, and not just post it on your website under password protection. However, for friends-only posts on the open web, it seems like this kind of encryption, with the ability to send auto-decrypt links via more secure channels to your friends (so they don’t actually have to fuck around remembering or storing passwords), seems like a good solution.

  1. I guess this sounds like a strange contradiction in terms. By “open web” I mean “using open protocols, like ActivityPub, or just ordinary individual HTML/CSS/JS websites, not locked in a silo like Facebook”. Obviously not literally “open access to all”. ↩︎

  2. Well I guess maybe you could, but it’d take a post-build script, and custom metadata on your protected posts to tell Hugo not to link to them or put them in feeds or sitemaps or anything, so it seems complicated… ↩︎