Sealist 作成者: yaspltbr

Sealist 🦭

A browser extension offering seamless E2E encryption for Todoist.
Basically, this cutie seals your tasks and comments only for you to see.

Background

What Todoist Already Does

See Todoist Security Policy.

• All user data is encrypted at rest in their production database.
• Encryption is keyed by a master key held by Todoist.

It stops the stolen-hard-drive attack. What it doesn't stop:

• Master key compromise or misuse.
• A court order or legal compulsion.
• A breach of the live app stack - prod read access means plaintext access,
  employee or attacker alike.
• A future policy change on who gets to read your content.
• Cross-border data-sharing pressures.

The Goal

Move the trust boundary off Todoist's server and onto the user's browser.
Encrypt before task leaves, decrypt on the way back. Todoist's servers see
opaque ciphertext. Plaintext only ever exists inside the browser client while
the extension is Unsealed.

We want to provide a similar model to Mailvelope/FlowCrypt which layer PGP onto
Gmail, but without requiring users setting PGP keys.

We should not make Todoist that much worse to use :p. The crypto should be
conservative and audited. The codebase must be small enough to read. The
shortcomings must be documented honestly.

Non Goals

We are not trying to defeat:

• Malware running on the user's machine with arbitrary access (extension memory,
  screenshots, key loggers).
• A malicious extension installed by the user with the same host_permissions
  reading our injected DOM. Extensions are isolated from each other's
  in-memory state and storage, but not from a malicious extension reading the
  page we both render to.
• A user picking a low-entropy password. We gate on password complexity and
  employ a memory-hard KDF to make the offline attack as expensive as we
  honestly can, but a determined adversary wins against low-entropy passwords if
  one would pass the checks.

License

Copyright (C) 2026 yaspltbr

This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version.

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.