Synopsis

You may be interested to know how we keep your books secure. This article describes how everything remains connected, but secure.

Overview

Add Rabbit only uses P2P technology for communication because your information is private. But making things P2P only provides a modicum of security. E.g., pretend you had two users, Bob and Alice, that want to access the same set of books. If Alice currently has access, she can offer Bob access by sharing her QR code. Bob would scan the QR code on his phone, and Alice would receive a notification that Bob wants access. After she grants Bob access, they both have unfettered access to each other’s records going forward. But what if a hacker came into the equation and figured out Alice’s QR code. If he was able to impersonate Bob, he could download Bob and Alice’s transactions going forward!

To make sure this can’t happen, we use public key security when we connect two users. Here is how it works:

1. Your QR code is actually your public key. This key is generated when you first create your books (either from scratch or when you clone another set of books). ¹
2. When Alice shared her QR code (i.e., her public key) with Bob, he is able to encrypt any request he sends to Alice with her public key and his private key.
3. When Alice receives a request from Bob, she can decrypt the request by using her private key and Bob’s public key (which she previously approved as an authorized user).
4. If she is not able to decrypt the message, she can bail on the request.

One thing you should be aware of, though, is that your keys are not encrypted when they are stored on disk. This means that if someone has access to your computer, they could copy your public and privet keys and impersonate you. It is possible that we will enable this in the future, but we haven’t prioritized it yet.