I'm keeping an eye on the privacy of @OpenGradient Chat, and it's not just about "they promise not to look at the data". What really concerns me is that moment: when the user finishes the prompt, hits send, and the request just leaves the browser. That's when it's most dangerous. Many leaks don't happen when the model is responding, but while the data is in transit.
Let's lock this down locally first. HPKE does something straightforward: it wraps the prompt in an envelope that only the target enclave can open. The relay sees the package coming, notes the time, and might even guess its size, but it can't see the original message. It prevents snooping at the routing layer. Where it can't hold the line is clear: if the target public key is swapped, or if the user connects to a fake entry point, the envelope might get misdelivered.
Then we move to OHTTP. The name sounds tough, but it's like tearing a shipping label in half. The relay gets the sender's info but not the content; the gateway forwards it but shouldn't know who originally sent it. The counterintuitive point here is that OpenGradient Chat's privacy doesn't rely on any one layer being clean, but rather on making sure that even if one layer is dirty, it can't piece together the whole picture. If the relay is compromised, the attacker only has the IP, time, and packet length; if the gateway is compromised, they only know there's an encrypted message headed somewhere.
The ciphertext is only opened after entering the TEE. The TEE is a little room with hardware isolation, preventing the host from reading memory or altering execution code. This isn't about "the server claims to be secure"; it's about the enclave providing attestation, proving that the room, code, and execution identity match up. It also has boundaries: if the enclave code has holes or if the external model interface keeps plaintext logs, privacy could leak out the side door.
The most useful aspect of this mechanism is that it breaks down common risks. Operations wanting to see the prompt only touch ciphertext. The relay wanting to pair users with questions only gets half a sheet of paper. Platforms wanting you to trust the environment directly, attestation changes "trust me" to "verify me". But I'll still be watching a gray area: if the relay keeps logs of packet lengths and times, the gateway keeps target records, and the external model also logs call times, can those three logs piece together user behavior in a matter of seconds? That's where the real scrutiny should continue for OpenGradient's privacy-friendly initiatives. $OPG #OPG @OpenGradient #opg $OPG
Let's lock this down locally first. HPKE does something straightforward: it wraps the prompt in an envelope that only the target enclave can open. The relay sees the package coming, notes the time, and might even guess its size, but it can't see the original message. It prevents snooping at the routing layer. Where it can't hold the line is clear: if the target public key is swapped, or if the user connects to a fake entry point, the envelope might get misdelivered.
Then we move to OHTTP. The name sounds tough, but it's like tearing a shipping label in half. The relay gets the sender's info but not the content; the gateway forwards it but shouldn't know who originally sent it. The counterintuitive point here is that OpenGradient Chat's privacy doesn't rely on any one layer being clean, but rather on making sure that even if one layer is dirty, it can't piece together the whole picture. If the relay is compromised, the attacker only has the IP, time, and packet length; if the gateway is compromised, they only know there's an encrypted message headed somewhere.
The ciphertext is only opened after entering the TEE. The TEE is a little room with hardware isolation, preventing the host from reading memory or altering execution code. This isn't about "the server claims to be secure"; it's about the enclave providing attestation, proving that the room, code, and execution identity match up. It also has boundaries: if the enclave code has holes or if the external model interface keeps plaintext logs, privacy could leak out the side door.
The most useful aspect of this mechanism is that it breaks down common risks. Operations wanting to see the prompt only touch ciphertext. The relay wanting to pair users with questions only gets half a sheet of paper. Platforms wanting you to trust the environment directly, attestation changes "trust me" to "verify me". But I'll still be watching a gray area: if the relay keeps logs of packet lengths and times, the gateway keeps target records, and the external model also logs call times, can those three logs piece together user behavior in a matter of seconds? That's where the real scrutiny should continue for OpenGradient's privacy-friendly initiatives. $OPG #OPG @OpenGradient #opg $OPG