Then it's still a charade and does not offer security. If you have time to go to this website and encode an emoji, you also have time to encrypt it with AES. If you then want to obscure the ciphertext by encoding it as dummy data inside an emoji, then that's cool, but just the encoding itself offers no protection, just adds one more roll of the dice that maybe if your adversary is incompetent, you will get away with it. That's gambling, not security.
And you don't want to position gambling as security. It is 100% the same bullshit as telling someone that the surefire way to get rich is to buy your shitcoin. The danger isn't towards those that actually have some knowledge, it is towards the masses. And that makes it predatory.
Better to, if you have no experience with implementing, hardening and breaking security processes, to simply not advertise/LARP about security properties of something.
There's no way for the user to know what I might be recording.
Exactly, so now you heard it from 2 people. Which is why a URL to a webapp is generally the wrong thing to share in privacy/security space. The only people that will use it for real are those that have no idea how vulnerable it makes them.
What you want instead is a URL pointing to source code that is mature enough to get reviewed. If you want to demo it, make a screen recording. I understand that in reality that is something that's rather hard to deliver if you've never done it before. It's hard for me and I published my first FOSS code almost 30 years ago, back in 1996, and nowadays maintain multiple codebases with very high security requirements. I would need to spend some real time before I ask for external review, to not waste people's time.
if somebody uses it in a moment of desperation
In times of crisis, making good decisions is a game changer. Making poor decisions and getting lucky is not. If I had to put something in someone's head to remember in a moment of desperation and I had to choose between that url or the openssl enc syntax, I'd 200% go for the latter and hope that in their stress they will never remember about deadspace in emoji encoding. It simply is a bad correlation to make in your head.
not every TSA agent is a genius level super hacker.
They (supposedly) work for an institution that has processes. If you're a real suspect, your phone will get imaged, period. If the agent forgets to follow SOP and you, prime suspect, walk out of there without that, then they are incompetent and should look for another job. Sure, it is very possible that this happens, but it is a gamble.
If you're an honest, hard working human with a good heart, please, don't gamble with yourself like that. You're too precious and rare to put yourself at risk.
Then it's still a charade and does not offer security. If you have time to go to this website and encode an emoji, you also have time to encrypt it with AES. If you then want to obscure the ciphertext by encoding it as dummy data inside an emoji, then that's cool, but just the encoding itself offers no protection, just adds one more roll of the dice that maybe if your adversary is incompetent, you will get away with it. That's gambling, not security.
And you don't want to position gambling as security. It is 100% the same bullshit as telling someone that the surefire way to get rich is to buy your shitcoin. The danger isn't towards those that actually have some knowledge, it is towards the masses. And that makes it predatory.
Better to, if you have no experience with implementing, hardening and breaking security processes, to simply not advertise/LARP about security properties of something.
Exactly, so now you heard it from 2 people. Which is why a URL to a webapp is generally the wrong thing to share in privacy/security space. The only people that will use it for real are those that have no idea how vulnerable it makes them.
What you want instead is a URL pointing to source code that is mature enough to get reviewed. If you want to demo it, make a screen recording. I understand that in reality that is something that's rather hard to deliver if you've never done it before. It's hard for me and I published my first FOSS code almost 30 years ago, back in 1996, and nowadays maintain multiple codebases with very high security requirements. I would need to spend some real time before I ask for external review, to not waste people's time.
In times of crisis, making good decisions is a game changer. Making poor decisions and getting lucky is not. If I had to put something in someone's head to remember in a moment of desperation and I had to choose between that url or the
openssl encsyntax, I'd 200% go for the latter and hope that in their stress they will never remember about deadspace in emoji encoding. It simply is a bad correlation to make in your head.They (supposedly) work for an institution that has processes. If you're a real suspect, your phone will get imaged, period. If the agent forgets to follow SOP and you, prime suspect, walk out of there without that, then they are incompetent and should look for another job. Sure, it is very possible that this happens, but it is a gamble.
If you're an honest, hard working human with a good heart, please, don't gamble with yourself like that. You're too precious and rare to put yourself at risk.