[cunthorpe]

I’m always wary of consumer services that specifically target secrecy and encryption. How many of those “lockbox” photo apps are just syphons into the developer’s server?

“We’ll encrypt the file, trust us.”

This message can only come from an already-trusted party. Mozilla had an identical service to this except it was for files (Firefox Send) and that one I could trust.

[stophecom]

Thanks for the feedback. Appreciate it.

I believe you can earn the necessary trust by being transparent. For this kind of service two things are essential:

- Open source software: Let everyone review your code

- Encryption in the browser. Sensitive information should never leave the browser in plaintext.

I'm considering file transfer - but there are some challenges to meet :)

C.

[cunthorpe]

I don’t think you can do anything to early my trust personally other than sticking some big brand name in your domain. Anything you say or put on your website still comes from some random server on the web.

[ALittleLight]

I wonder if you could do the encryption entirely in the client so it was verifiably secure.

Front end JavaScript generates a symmetric encryption key that is never shared to the server. User enters message. Message is encrypted with the generated key. You create the scrt sending only the ciphertext to the server which doesn't have the key and so couldn't read the message. You click a button to copy both the link to the scrt and the encryption key. You then share both to your recipient. The recipient visits the link and gets the ciphertext and then copies and pastes in the key to see the message.

If it's all done frontend like this then it should be demonstrably secure and only slightly more complicated for the users.

[stophecom]

It is done entirely on the client. You can check the source code. Read more on scrt.link/security.

[ALittleLight]

But if the key is added to the link itself then you could be storing the encrypted string and decrypting it after getting a request for a link that contained the key.

I'm not accusing you of that - just saying there is no way to prove that's not happening.

[stophecom]

The part of the URL holding the encryption key is not sent to the server. https://stackoverflow.com/questions/14462218/is-the-url-frag...

Don't take my word for it :) You can check all code that runs in your browser and check all requests made within the network tab.

[ALittleLight]

Okay, nice! I withdraw my comments.

[mattowen_uk]

If I wrote something like this, I'd try to be as transparent as I could be as to who I was, and how you could contact me. Hopefully that would create some small level of trust.

--

As an aside, I know you are trying to be funny, but your username is tad offensive.

[cunthorpe]

Regarding the name, search Scunthorpe on YouTube