problem: secure-scuttlebutt has encrypted messages, and lots of indexes. This means that indexes which need to index the contents of those messages need to decrypt that.
in secure-scuttlebutt code, only the links index decrypts anything, but in patchwork, both ssb-backlinks and ssb-query decrypt things on their own. That means for patchwork to build indexes, it spends 3x as much time decrypting as it needs to.
So, having the database respond only with the cyphertext seems like a bad thing, although on the other hand, it does mean that we don't need to worry about the plaintext leaking out. if you want the plaintext, decrypt it! If ssb responded with the decrypted plaintext we (I mean I) would have to think very carefully about what apis are possibly returning plain text to who.
But! it could be worthwhile, for example: if all the indexes worked with encrypted messages: you could privately follow or block someone. You could like something, but keep it to your self (as a bookmark) or to the author of that message only. To implement these features, the frontend would just have to have an option to post those message types encrypted. This will become especially interesting with private groups.
If ssb were to use decrypted messages internally, that would mean we'd have to re-encrypt messages before sending them to remote peers. (or rather, to keep the cyphertext about, and replace the content with it before stringifying) I dislike this approach because all I have to do to leak your private messages is miss something, were as currently with everything private I am not worried about it.
One approach, would be to have a serializer that noticed the message was encrypted, and replaced content before sending. So just never send decrypted messages over the network. internal plugins would have access to decrypted messages, but not peers.
Another approach would be to handle the main replication functions (createHistoryStream
- used by legacy replication, getAtSequence
used by ebt, get
used by ooo) returning decrypted messages would surprise most clients also. probably it should always be opt-in you'd have to set a private:true option, otherwise you get sent the encrypted message.
hmm...