Skip to content
Proof-of-concept of a cryptographic Twitter clone. Each user is a keypair, and all data is signed.
JavaScript CSS HTML
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
client
lib
.gitignore
.snyk
README.md
api.js
app.yaml
dummyData.js
index.yaml
package.json
server.js
yarn.lock

README.md

emblem

PoC for a cryptographic Twitter clone.

What is Is

Emblem was my final project for AP CS. It implements a very limited version of Twitter, where every single aspect of the site is backed with crypto. Every user is represented by a keypair, every post is signed for authenticity, and every action a user can take is verified against this keypair. It is impossible for the owner of the site to make any change, or do anything, on behalf of any user, because each client verifies that all data the server sends is signed by its author.

When a user signs up for the service, they generate an RSA keypair which stays on the client. Then, to make a post or change their profile, they sign that request with the keypair. The server uses this signature to authenticate the change, and also gives the signature out along with the data any time a client requests it. It is impossible for a malicious sysadmin to falsify or modify any content.

Because I had to put this together in like a week and a half, it isn't perfect. There is no kind of protection against the server administrator deleting anything, so the platform can't prevent censorship. There isn't a way to sign in and out of an account short of ripping the keypair from LocalStorage. If you lose your keys, you're hosed. It isn't a production-ready social network, but I think it's a pretty neat proof-of-concept of a zero-trust microblogging platform.

Architecture

It has two main parts -- the server, running on App Engine, and the client, implemented as React SPA. The server talks to the database (Cloud Datastore), storing posts and validating API requests. The client talks to the server over a REST API, using its keypair to authenticate everything.

You can’t perform that action at this time.