-
Notifications
You must be signed in to change notification settings - Fork 13
Frequently Asked Questions
It depends on who you are.
-
For most users, trsst looks like a microblogging social network -- a twitter clone -- where you can follow other people and news feeds.
-
For other users, trsst looks like a stream-style RSS reader with built-in microblog publishing capabilities.
-
And for a few, trsst looks like an extension to the Atom Publishing Protocol where anyone can anonymously create self-signed and/or self-encrypted feeds and entries and publish them to any participating server.
All of these are correct.
We're working on a purely-in-browser web app/plugin. Until then, you need to download a client app for Mac, Windows, or Linux. A fully-standalone app is the only purely secure solution anyway, as you'll see below.
To create an account: From the "Sign In" menu choose "New Account". Enter a passphrase. Account name, description, and profile pic are completely optional. Now you have an account id that looks like this: 8crfxaHcBWTHuhA8cXfwPc3vfJ3SbsRpJ
Then type in your first message and hit "Send". You've posted your first message!
Your client keeps of all your feeds on your own computer, and also sends a copy to our hub at home.trsst.com/feed.
This means anyone in the world that knows your id can view your posts at https://home.trsst.com/[accountid], or subscribe to your feed at https://home.trsst.com/feed/[accountid].
Examples: https://home.trsst.com/8crfxaHcBWTHuhA8cXfwPc3vfJ3SbsRpJ and https://home.trsst.com/feed/8crfxaHcBWTHuhA8cXfwPc3vfJ3SbsRpJ.
(More technically: If your feed has an xml:base attribute, your client will publish your feed to that server using the atompub protocol. We run such a service at home.trsst.com/feed and by default your feed will get published there unless you tell it otherwise.)
All of your messages get published: the public messages are viewable by anyone, but your private messages are encrypted so only the intended recipient can decrypt them.
Note: for your intended recipient to see your encrypted message, they need to be already subscribing to your feed or they need to know to visit your page directly. (Obviously.)
Everyone is currently living in one or more social silos: facebook, twitter, instagram; even gmail. Your friends in one silo might not be using one of your other silo, so your stuff gets either duplicated or ignored. Moreover, those companies get rights to your updates and photos, they can sell your identity, they can ban your account, your data could go missing, and your private and personal info could be compromised with or without you knowing it.
What used to be the open internet is increasingly small set of closed corporate-owned silos. This is bad for everybody. If you want to disrupt this status quo -- if this re-opened internet future is going to happen -- this is what it looks like, and this is what it has to look like because we honestly can't imagine any other feasible path to get there.
But for most people, they're just going to want to have their choice of cool apps that let them keep their friends no matter which ones they use. Fortunately -- and perhaps most important of all -- we can do that too.
First and foremost, the code for the entire stack of components used in the client app is free and open source. Anyone can audit the code, and anyone can build their own app with a single command ("mvn clean install") from https://github.com/TrsstProject/trsst. Each maven dependency is compared against known-good snapshots as part of the build process to protect against dependency attack.
(In terms of license, all components are available under the Apache license except the Java runtime which is available under the GPL with linking exception).
The entire stack runs standalone with no external dependencies aside from your operating system. By default: we don't use your local Java runtime because we embed our own, and we don't use your local web browser because we embed our own. As a result, you can stick the client app on a usb drive and run on almost any Mac, Windows, or Linux computers.
So: if your client app binaries are signed by someone you trust, or if you build them yourself, you can feel reasonably safe against anyone tampering with your client software, and you can run it just about anywhere.
"Creating an account" is simply the generation of an secp256k1 elliptic curve keypair, and passphrase-protecting it in a standard PKCS12 keystore stored on your local machine.
Your account id is the base-58 encoding of the SHA-256 hash of the SHA-256 hash of your public key. (Yes, this is exactly what bitcoin does, so you can just prefix any account id with a "1" and send BTC to it.)
When you create an entry, you create a ECDSA signature using your account private key, and embed it in your entry following the XML-SIG standard. Your "profile info" is stored in your feed header and signed with ECDSA whenever you make a change.
When you post an encrypted entry, you generate an new AES256 key and use it to encrypt the entry, and then encrypt the key using ECDH and the intended recipient's public key. Both the encrypted key and encrypted content are embedded following the XML-ENC standard as the content element of a new entry which is posted to your feed. Any attached binary enclosure is also encrypted with the same AES key and stored separately, named with the RIPEMD160 hash of the encrypted binary.
Yes, your feed belongs to you and you can serve it from anywhere using our software or any similarly modified atompub server.
Moreover, there's really no risk of Trsst-the-protocol "going under" because it's just that: a protocol that anyone can use with a working code base that is already published. If Trsst-the-service we host at trsst.com ever disappears, you will still have your feed, and anyone could easily step in with the software already published and fill that gap.