Raft Demo / Documentation

About Raft

  1. About Raft
  2. Security for Social Movements
    1. Authentication attacks
    2. Personal device attacks
    3. Law enforcement requests
  3. Appropriate Technology
    1. Usability
    2. Modularity
    3. Adaptability
  4. Limitations

Raft is a productivity web application for small groups, designed specially to address the need for secure collaboration for activist groups and civil society.

Current features:

  • Encrypted personal and group workspaces.
  • File management & collaborative editing.
  • Events (work in progress).
  • More to come

Security for Social Movements

Raft is designed to address the primary threats faced in the real world by social movement organizations when they use computers to internally collaborate and coordinate.

An organization trying to improve its digital security is faced with a confusing array of recommendations, decisions to make, and concepts to master. It does not need to be this way.

Raft eliminates all the confusion. By simply adopting Raft, your organization also adopts and enforces a very high level of information security. There are no settings to adjust to make your group secure, no best-practices policy to impose on users, and there are few ways that users can accidentally compromise the security of group information.

Authentication attacks

The vast majority of all data breaches can ultimately be traced back to vulnerabilities inherent in password-based log ins.

To address this, Raft requires a passkey or security key in order to log in. Most people find passkeys and security keys to be a smoother and faster process than password-based authentication once they are familiar with how it works. Most importantly, passkeys and security keys eliminate nearly all authentication attacks. For a longer discussion, see authentication.

Personal device attacks

Suppose you have an activist group with 100 members. There is no practical way to do enough security workshops so that the phones and laptops people rely on can be made resistant to targeted malware attacks or to routine forensic tools used by most law enforcement.

While it is commendable for an individual to spend the time to learn best practices when it comes to personal data security, it does not make sense from a social movement or organizational perspective to store a copy of sensitive information, or information that might be sensitive in the future, on the personal devices of everyone in the organization.

Raft addresses this by storing all data in the cloud and leaving no data footprint on the device used to access the web application.

Law enforcement requests

Recently, the large cloud providers such as Google and Microsoft have started to hand over sensitive information on users to US law enforcement without even a court order.

Raft protects against this in two ways:

  1. Open Source: Choose a provider you trust to have your back.
  2. Per-user Encryption at Rest: The provider is unable to access nearly any potentially sensitive stored data. This makes it much less likely that your data will fall into the wrong hands and makes it so that the provider cannot be forced to turn over data as a result of a court-ordered subpoena. For a longer discussion, see encryption.

Appropriate Technology

Raft is designed to be usable, modular, and adaptable.

Usability

The Raft experience is just like any normal web application, despite the strong data protection.

For example:

  • User keys are automatically managed security using a passkey or security key, without the need for any complicated key management or encryption phrases.
  • Although stored encrypted in the database, Raft is still able to perform very fast full text searches, even for very large databases.

Raft is still in its very early stage and the user interface will continue to improve over time.

Modularity

The Raft “core” handles authentication, searching, and the relationship between users and workspaces. All actual tools, such as file management or calendars, are implemented as optional modules.

It is relatively easy to create a new tool for Raft using the Rails Engine plugin standard.

Adaptability

No application can be all things to all people. The goal with Raft is to allow individuals or small teams to build whatever workflows and tools are appropriate for the community they are working with.

  • Plugins are easy to write: Raft is built using Ruby on Rails, a framework that is particularly well suited for rapid agile development and for small teams to create impressive applications.
  • Plugin data is encrypted: With just a few lines of code, a plugin author can create custom data models that take advantage of Raft’s built-in encryption, without sacrificing speed, scalability, or full-text search functionality.

Limitations

  • Hosted software: Raft is a web application that must be hosted on a server. Like most web applications these days, Raft relies on many dependent services and is not trivial to host.
  • Alpha software: Raft is not yet released for production use.
  • Desktop first: Raft is currently designed primarily to be used on a desktop browser. It does not yet have robust support for small screens (WIP).
  • Online-only: Raft requires an active internet connection and does not have an offline mode.
  • Bugs happen: Data may be compromised if there is a fatal bug in the Raft application code.
  • All software can be modified: A provider can potentially gain access to personal user data if they intentionally modify the Raft application code to add a back door and then wait for the user to log in.