Private Donations

Commet gives supporters ‘profile badges’ for donating and supporting the project. However we wanted to be sure that donations cannot be tied back to a specific user, and implemented a system to give badges without ever knowing the username of the account we are giving a badge to.

Client Reference ID

When you click the ‘Donate’ button in Commet (which you should totally do!), Commet will randomly generate a secret password, as well as a hash of your username.

A hash is a random string, generated based on an input, and cannot be undone.

@user:example.com -> 9d1dac8b2d96143a207a2d1c5b627ad5fd31a9e1d3ae57ef5cb18887d91aa581

This hash is then encrypted using the randomly generated password, which is then passed to our donation page as a ‘Client Reference ID’. When a donation is received, your client reference ID is stored alongside the receipt. Importantly, the secret password is not passed to the checkout page, and so we are only able to store the client reference ID, which without the secret is just a jumbled mess of meaningless numbers.

Since we do not have the password stored anywhere, it is impossible for us to get a user ID from the transaction. Even if we had the random password, all we would be able to get is the random hash, not the original user id.

Example Client Reference ID:

ed11a232bd1f3c50a4db0907_e63782ec993c1d4a843cdbe8b370c4f4297996c1722d8ecd4325afbc3fb2ce1d4473c3b54a73d8fcc09dc8e589267279

Receiving Badges

When Commet fetches badge data, it briefly reveals your randomly generated password to our service, which is then able to access the random hash generated from your username.

Since we never store your randomly generated password anywhere, we only have access to this hash for the brief period when you request it.

Then we generate and sign a badge containing your hashed username:

{
  "signed": {
    "content": {...},
    "user_id_hash": "9d1dac8b2d96143a207a2d1c5b627ad5fd31a9e1d3ae57ef5cb18887d91aa581"
  },
  "signatures": {
    "8d4f773c": "KcWE9QwARJd0sBUxGnwDV/0o/J0oKuxGTYvtq/u34VjxBk2IJxUr4HpH8PHnip6nYY7mE7cisgBxOrhiVntYDQ"
  }
}

This allows Commet to validate your badge locally on your device by using the signature and checking that the hash matches to your user ID, giving you a pretty badge without us ever knowing which account got one.