I use a similar system, but only because I know the people who wrote that one. It's nice to see the code, but there's still no guarantee that this is the code that is running on the real site. Now, having the code available makes it possible to run it myself if I'm super-paranoid, which is cool.
Yeah, that's the idea. There are cases where it's preferable to use a third-party service but it's also good to be paranoid. Now we can serve both sides.
For a second, I thought you app is named "Secret Sex Change". Honest mistake until I went to the website which then made it clear as "Secrets exchange"
The problem with that article is that the author assumes that the only purpose for javascript cryptography is so that no middle man can understand the content, not the server itself. Javascript cryptography in this context is a more difficult problem only because you must trust that the code that the authentic source delivers does itself not contain a backdoor to the information.
Being cautious is important but keep in mind that the goal here is to be a replacement for having plaintext, sensitive info in your email history and chat logs.
You raise a good point. I'm not against encryption in the browser as a rule but it does open up a whole new can of worms. Our approach is to be just good enough for most usecases.
Setting up GPG isn't hard but it's also not always the right tool for the job.
It's a lot to ask for someone to copy and paste a GPG encrypted message when you just want to send a private link to a (non-technical) client or when you just don't want something in my facebook message history.
What if a spammer used this? You send out spam emails with a one time link in it (per recipent). The recipient views the spam link sees the spam content and either (a) purchases or (b) spam reports
If they spam report the report tries to view the link but sees it is no longer there.
Not saying specifically with your service, but a spammer could setup something of his own like this and when a link is viewed a second time they could put up a fake this page has been reported for spamming etc.
It's certainly possible but there are solutions to mitigate that style usage. Spam is only profitable in bulk so they'd constantly be hitting our limiters which won't really make it worthwhile.
Also the content in the secrets in served as plain text so that diminishes the quality of the payload too (the recipient would have to copy & paste the URI).
Edit: by the way, Mandatum, not sure why from your few comments but you're hellbanned so they come up dead.
I made a very similar website. Also offers uploading files and encrypting the data you share. It offers a little more flexibility on how you want to secure the content you're sharing.
i have this confused dream that somehow people will implement different cryptographic "elements" as web services and eventually someone will find a way to tie them together into something awesome. i think this could be one; my own (much more pointless) contribution is human-readable timestamps (like taking a photo of yourself and today's newspaper): http://colorlessgreen.net/ (also open-source)
30 comments
[ 2.9 ms ] story [ 68.4 ms ] threadThanks for all the feedback so far; it's made a big a difference for us. Not just with features and bugs but with motivation too.
We have a special free plan for people coming from Hacker News:
https://onetimesecret.com/
So, thanks.
https://github.com/Achiel/SecretSexChange
I do not like storing my passwords etc with a third party.
http://sebsauvage.net/paste/
Of course, it's not SSL, but the source is available online and you could create your own implementation using SSL (as I have).
[1] http://matasano.com/articles/javascript-cryptography/
We've all seen these: http://plaintextoffenders.com/
I use contextual GPG for pastebin all the time.
It's a lot to ask for someone to copy and paste a GPG encrypted message when you just want to send a private link to a (non-technical) client or when you just don't want something in my facebook message history.
If they spam report the report tries to view the link but sees it is no longer there.
Not saying specifically with your service, but a spammer could setup something of his own like this and when a link is viewed a second time they could put up a fake this page has been reported for spamming etc.
Whereas I'm sure this has CAPTCHA or some other protection for generating multiple URL's.
Also the content in the secrets in served as plain text so that diminishes the quality of the payload too (the recipient would have to copy & paste the URI).
Edit: by the way, Mandatum, not sure why from your few comments but you're hellbanned so they come up dead.
https://www.alicetobob.com
You can check out the source code https://github.com/hellonoam/cryptopad though I should probably update the readme with more info.
By the way, I'm getting a warning about your SSL cert in Chrome. Firefox was fine though but it could be b/c of an inconsistent server configuration:
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...
Also available at https://tmwsd.ws
Yours looks really nice.
If you google "SSL cert" and click Godaddy's ad, you can get one for $13/year (instead of $50+). Namecheap has good deals too.