More details on how the encryption for server sync works would be helpful for assessing security.
> More details on how the encryption for server sync works would be helpful for assessing security.
Good point - I'll add something more detailed to the README shortly
For now though, it's fairly simple. Almost all of the information is first serialized with MessagePack, and then encrypted using libsodium's secretbox. This blob is what ends up being POSTed to the server
The only other information available to the server operator is
- the username/email address/hashed password of the user
- the UUID of this history item
- the history timestamp (needed for sync at the moment)
- the hash of the machine's hostname (also useful for sync)