I was thinking about how hard it is to accurately determine whether a screenshot posted online is real or not. I’m thinking there could be an option in the browser to take a “secure screenshot”, which would tag the screenshot with the date, url, and whether the page was modified on your computer. It could then hash both the tag and the image data and automatically upload this hash to some secure server somehow. There would need to be a way to guarantee that only the browser could do this, or at least some way to tell exactly what the source was. I’m not much of a cryptography person, but I would be surprised if it isn’t possible to do this. Then, you could check if the screenshot you see is legitimate by seeing if it’s hash exists in the list of real hashes.
You must log in or register to comment.
You can take any file, run it through a cryptographic hash function, and post the fingerprint on any site with verifiable upload dates to confirm that you had it on that date and that it hasn’t been modified since (without necessarily exposing the file itself).
Proving how the file was created is a whole other can of worms—the obvious solution is to sacrifice control of your software and hardware to some proprietary third-party system that presumably has no stake in the outcome, but that causes more problems than it solves.
the obvious solution is to sacrifice control of your software and hardware to some proprietary third-party system that presumably has no stake in the outcome, but that causes more problems than it solves.
Yes, I can imagine a world in which some company has a system like this, and then could discreetly delete hashes from the database if they see the original image and realize that it shows evidence of something they don’t like.
If it would be used for actual investigative journalism or criminal evidence, its giving that company a lot of power.
The more basic question is, why are you regarding the web browser as the “source” of an image that needs to be verified? Anyone could make a fake website with fake images, in which case the web browser confirming that the screenshots of the site are “real” would be meaningless.
If the web page is (say) photos taken at an event, a better solution would be to have the original photographer post hashes of the photos at the time they’re taken (or have a camera that does this automatically).
That’s why having the URL as part of the hash is important. I’m thinking less for real photos and more for ‘screenshot of a deleted tweet’ sort of things.
What got me thinking about this actually was whether there would be a way to verify which screenshots of the Google search AI are real and which are fake.
If you’re on your own network with your own DNS servers, you can make the real URLs point to your fake site.
But if the connection was over SSL/TLS, you could capture the web packet data before your browser decrypts it—then anyone could re-decrypt a copy of the data with the site’s public key to verify the source.
I’m pretty sure this would just be DRM
This is a very hard problem to solve, and people have tried.
Let’s say you do as you said: hash the data (screenshot, date, etc) and upload it to a trusted server. Nothing can stop me from generating fake data, hashing that and uploading it instead.
Ok, so maybe you decide to add a cryptographic signature to prove that it was the web browser that made this hash, not an unauthorized one. That might work for a while, but the private key needs to be shipped with the browser software, so a sophisticated person could extract that key and then generate fake data. Especially is the browser is open source (like most are).
Alright, what about if we add a special chip on the device that is hard to tamper with and keep the private key on there and do all the signing on that chip. Those do exist somewhat already, but hackers have found ways to break them.
Ok then you move everything to the cloud. Have the entire web browser running on a cloud machine by a trusted authority. Maybe then you can do what you’re discussing, but you’ve also entered a privacy nightmare where everything you’re doing can be monitored in real time.
What would be a better situation (and where I think we’re going eventually with Gen-AI) would be to put the responsibility on the website publisher to provide cryptographic proof of their content. For example, the NYTimes could create a digital signature of a photo and publish it on a blockchain or other trusted tamper-proof ledger as they publish the photo. Then anyone can verify that the photo is from the NYTimes and the date it was created.
Or you have a trusted authority, like archive.org, that scrapes the whole website.
It would actually be convenient to have a screenshot feature that also automatically links to the latest archive of the website
there are situations though where that doesn’t work, such as if this can only be seen on your account, like if you take a screenshot of a DM or something
Without cooperation from whoever owns that service then that’s impossible. Ahh and its also impossible if u have e2ee unless u wanna hand over ur private key to some third party.
There would need to be a way to guarantee that only the browser could do this, or at least some way to tell exactly what the source was.
I don’t think there’s a way to do that. Let’s say browsers implemented this. I could then just take a copy of Firefox source code and make my own version, which is exactly the same than normal FF except the fancy screenshot tool has been slightly modified to allow editing the page before taking the screenshot.
yes, it would need some way to prove the exact software it was made in, and I’m not sure that’s possible
It is that’s essentially what secure boot does with a TPM. The only problem with that is that the device manufacturer gets to decide what software ur device is allowed to run. That’s a very slippery slope leading directly to governments banning software they don’t like eg encryption etc.
