18 comments

[ 2.4 ms ] story [ 60.8 ms ] thread
How is this better than symmetric encryption with GnuPG?
The encrypted result of this tool contains all the code necessary to decrypt itself (in a web browser).

I'm not too familiar with GnuPG, so I don't know if that's different.

I'm reminded of those self-decrypting .exe archives that WinZip used to produce back in the day...
Does it claim to be better? The main advantage I can see is simplicity, even non-technical users should be able to figure it out.
Should really highlight the fact that it could be self-hosted [0]. Typing a password and uploading a sensitive file is never a good idea.

[0] https://github.com/louissobel/ppmf

At first sight it seems the encryption is done by client-side javascript, so you don't gain much by hosting it yourself.
If the javascript comes from your computer (because it's embedded in the page you self-host), how could it get compromised?
Nothing is uploaded, it can run offline once the page is loaded.
As soon as my file is readable by javascript it could be sent anywhere by your code. I'm not saying you do, but it could. Therefore this adds an unnecessary risk. I would have to disconnect my machine from the network and clear all the browser storage before reconnecting to even begin to think this was safe.

Just to be clear: I'm not saying it's useless, just that if the file I was encrypting was so important that I needed to encrypt it, doing it in a sandbox that is directly connected to an untrusted third-party wouldn't be a very bright move.

It's all in one html file, so it will work disconnected from the internet. Download or save the page, turn off your internet, open it in a browser, and encrypt with peace of mind (although the javascript could still use off-line storage and then next time you're online on the page access it, I guess).
If a user doesn't trust Dropbox, why would they trust passwordprotectmyfile.com?

I know it claims the file doesn't leave your computer, and that might be true right now, but in five minutes if I visit the page the code could have changed. And it would hardly be user-friendly to ask users to check the minified javascript before using it.

It's the same as using openssl aes-256-cbc -in plaintext -out ciphertext That's as easy and convenient as it can get for me. But it might be helpful if I have to send an encrypted file to someone not able to use openssl or gpg. It's pretty cool to combine an encrypted file with the tools needed to decrypt it :)
I really like this. Especially the self-contained html file you send around afterwards.

You should recommend people to download the html and then save it instead of using the page itself. Maybe make a big download button. Also, remove google analytics from the self-contained version, that way the page should never download/upload anything from the network.