Redacted text can be deredacted

[stuartlangridge]

Looking at the script font (and oversimplifying a bit), letters a-e are all the same glyph as one another, f-j are all the same glyph as one another (but a different one than a-e), and again for k-o, p-t, and u-z. So, when looking at, say, a screenshot of text in the redacted font, you can think of "hello world" as having been written as "fakkk ukpka" (and the glyphs are distinct enough that it's possible to work that out). It's then pretty easy, armed with a fairly simple script and a dictionary of words, to "decode" that; you don't get an unambiguous answer, but you can see that that decodes to

felon|gallo|halon|hello|jello world|zosma

and from that you can look at it and guess that the original text was "hello world" (and not "felon zosma").

Of course, this isn't meant to be a cryptographically secure way of concealing information (and the non-script block version of the font does a good job at that!) but we've kicked around the idea of screenshotting apps after they've had the redact font injected into them, so that people can easily share screenshots of (say) their mail client without having to worry about redacting information, and it'd be nice if deredacting wasn't quite that easy. Obviously the above oversimplifies a bit, but perhaps there could be fewer glyphs? That would clearly make the script slightly less varied, but would stop this from being a problem.

[christiannaths]

Interesting thought. I'm in favour of fewer glyphs I think, but in the end it's probably still the aesthetics of the font that I'm most concerned about rather than attempting to make it more cryptographically sound. It really was designed as a prototyping tool, nothing more (though I admit it is fun to see people use it in different ways)