Skip to content

Commit

Permalink
Update README
Browse files Browse the repository at this point in the history
  • Loading branch information
raxod502 committed Nov 11, 2022
1 parent 210da45 commit 7afd4cc
Showing 1 changed file with 20 additions and 12 deletions.
32 changes: 20 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ and is not yet fully functional.
## Usage (for most people)

Install the browser extension from GitHub Releases or from the Chrome
Web Store (link to come) or [Firefox Add-ons
Web Store (not yet available, since the Google review process is
extremely slow) or [Firefox Add-ons
site](https://addons.mozilla.org/en-US/firefox/addon/hypercast/).
Then, open a video on any streaming platform and click the extension
icon in the browser toolbar to create a watch party and copy a link
Expand Down Expand Up @@ -81,15 +82,20 @@ is just a simple Node.js app with no external dependencies.
## Privacy statement

The only data that is sent to the Hypercast server is play/pause
events and seek timestamps from each client. I might look at this
information if something goes wrong with the server and I need to fix
it.
events and seek timestamps from each client. Furthermore, all data is
end-to-end encrypted and authenticated using
[AES-GCM](https://www.aes-gcm.com/) as implemented by
[Forge](https://github.com/digitalbazaar/forge), so it is impossible
for the server operator to reconstruct any information about any
client that connects to it, other than how often it communicates with
other clients.

Other information, such as what video you are watching, what sites you
are visiting, and anything that could be used to identify you, is not
even sent to the server, because it is not needed to provide the sole
purpose of Hypercast, which is synchronizing video playback between
different people's browsers.
There is no option to have a user account with Hypercast, and no
database which could store personal information even if such
information were collected.

These claims can be easily validated by inspecting the source code,
which aims to be simple and transparent.

If you have a privacy concern, please email
`[email protected]` and I will do my best to get back to
Expand All @@ -108,9 +114,11 @@ accomplished in a few ways:
streaming websites by default. You can temporarily turn it on for
other websites, or you can download an alternative version of the
extension that has more websites enabled by default if you prefer.
* The server is not trusted; the most that an attacker who controls
the server can do is cause your playback position and play/pause
state to change unexpectedly.
* The server is not trusted; even if an attacker fully controls the
server, it is impossible for them to read any data sent by the
extension, or send any data to the extension from their end. The
most that they can do is execute replay attacks to cause actions
from other users to be repeated unexpectedly.
* The code for the client is as simple as possible in order to limit
the possible attack surface.
* I try to exercise good security hygiene for managing both personal
Expand Down

0 comments on commit 7afd4cc

Please sign in to comment.