Awesome
Discord End-to-End encryption
Script developed to encrypt your messages on the client side before sending them to a discord channel. This way, discord only see encrypted data and cannot decrypt them without the secret key. Of course, users should also have this script and the secret key to decrypt the data. The script is intended to be used with tampermonkey or greasemonkey addon on Discord for browser.
This script play with the DOM of the document, checking on modifying element on the client side before beeing sended to the server.
The script is pure Javascript, no external librairies are loaded
Tested on Firefox with Greasmonkey and Chrome with Tampermonkey
Demo
- You can join this Discord and follow the inscruction to add the keys into tampermonkey https://discord.gg/g9teQ2N
- Add the
discord-e2e.jsto tampermonkey or greasemonkey - Once the script is installed you should be able to decrypt the data
Send encrypted messages
- Type some text
- Press ENTER, you should see that now the text is encoded in base64
- Press SPACE then ENTER on the keyboard
- Done
Add the tampermonkey script
- Install the addon Tampermonkey for Chrome or Greasemonkey for Firefox
- Open the Dashboard addon
- Click on the button "+" or "Add script"
- Copy past the content of the file
discord-e2e.js - Go to discord and test the demo !
How data are encrypted ?
The data are encrypted with the librairy CryptoKey with the algorithm AES-GCM. The secret key is generated by window.crypto.subtle.generateKey with a length of 256. Everytime your type something on the textarea and press ENTER, the content of the textarea is encrypted, then the value of the textarea is modify with the encrypted data and encoded in base64. Therefore Discord only see when you are typing but not the content.
Only people with the same key can decrypt the data.
Can I set several keys for multiple channel ?
Yes, you can set as many keys you want. A key is linked to channel like this
var keyStorage = [{
'channel':'channel/path/',
'key': 'YOUR_KEY',
'iv': iv
}]
Is this working for private message ?
Yes, this is also working for private message :)
Where all the keys are stored ?
There isn't good solution on the client side to store sensitive information. The keys are stored in the tampermonkey script itself. It shouldn't be possible to retrieve the keys directly without an access to the computer (or browser exploit ?). If anyone has a better idea, submit an issue or come chat to Discord.
What about the attachement ?
Currently attachements are not encrypted, if anyone has an idea, I'm curious :)
Generate new key
- Open your browser
- Display to Developer Console: F12 or Ctrl-Shift-I
- Copy-Past the content of
generate-key.js
- Copy the key paramter (in blue on the screenshot)
- Open the script in tampermonkey and add the key into the array
keyStorage:
var keyStorage = [
{
'channel':'/channels/495699373863338003/533030226402476032', // replace by your channel path
'key': 'YOUR_KEY',
'iv': new Uint8Array([188, 185, 57, 146, 246, 194, 114, 34, 12, 80, 198, 77])
},
{
'channel':'/channels/495699373863338003/533248362879778818', // another channel
'key': 'YOUR_KEY_2',
'iv': new Uint8Array([188, 185, 57, 146, 246, 194, 114, 34, 12, 80, 198, 77])
}
]
- Add the channel path
- Share securely the key with others
Note: you can set different key for different channel. If a key is lost, the data cannot be retrieve.
How to prevent someone with the key to read the messages ?
Tow solutions:
- If you give the keys to someone but you don't want him to be able to decrypt the data, just simply change the key. But you will be not able to view the data encrypted with the previous key.
- Remove the user from the Discord channel, simple and efficient
Compatibilty
This is only for Discord on browser https://discordapp.com with Chrome for Firefox and addon tampermonkey/greasemonkey
Improvement
- Encrypt attachement
- Better key management (any idea)
- Check if DOM changed before anything else