The cutting edge/novel techniques was what I was looking for, this is really cool. I’ll look into it more.

Yeah, it’s much harder to completely hide the fact you’re using encryption.

Oof 😅 0.59 nanoseconds. I dang messed up. This would be a good project for students to identify the weaknesses. Like the Theprimeagen says the problem with the tutorials is they’re neatly packaged, refined end products and you miss out on all the learning and debugging. You sound like you know what you’re talking about and the 1-byte block size is a huge mistake. I think I’ll do some more research into the different algorithms. Thanks for having a look, and weighing in.

I hear you, XOR is bad 💀 I should just use the crypto library.

Hey, thanks for the thoughtful breakdown. I probably should label it: warning random IT grad project. I mistakenly believed I could make something that was good, well it’s a lot more difficult. You’re right that this doesn’t provide the kind of plausible deniability I initially hoped for, the decoys were just a workaround, because I couldn’t find the type of algorithm I wanted.

The query parameters are masked with HTTPS so you’re not revealing any extra data, it would just look like any other redirect if you were packet sniffing. And when visiting the destination links, your normal OPSEC still applies, like changing your DNS, using a VPN, etc. I was just seeing if this project would find some sort of use, but I only spend two days on it and it was a fun learning experience.

Yep definitely, If you open source when you are a small team or individual a company will steal your code and, with their massive teams, wipe the floor with you. That is why I like what Plausible Analytics (Google Alternative) is doing, https://plausible.io/blog/open-source-licenses there AGPL-3.0 licence scares big tech because by using code with it, you must open source all code using or related to the code you use, and they have the means to enforce that.

Files are a whole other issue. If I was to make a file upload, it would be my site (encrypts & uploads data)->uploadthing.com->AWS T3 Buckets->returns link. Because if it was bad content my site cant do the decryption without being liable, so for decryption->open sauce decryption system->hosted on popular free platforms you can’t block->decrypts data and hides original file.

Yeah, I appreciate the feedback. I need to do more, so the link isn’t a secret, e.g. any password will decrypt any link to text so if you use the wrong password you get wrong data possibly a different link, that hides if you were wrong or right. Then you only need to share one secret via a separate channel.

Sorry 😂 Thought I exempted the /anon route from headless, VPN and proxy checks but forgot one of the VPN functions, fixed now! The /anon route is not checked. It was unfortunately needed because of a very costly bot attack abusing a service I had.